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CHAPTER 1 
INTRODUCTION TO iAPX 286 


The iAPX 286 is the most powerful processor 
in the 1APX 86 series of microprocessors, 
which includes the iAPX 86 (8086), the iAPX 
88 (8088), the iAPX 186 (80186), and now 
the iAPX 286 (80286). It is designed for 
applications that require very high perfor- 
mance. It is also an excellent choice for 
sophisticated “high end” applications that will 
benefit from its advanced architectural 
features: memory management, protection 
mechanisms, task management, and virtual 
memory support. The iAPX 286 provides, on 
a single VLSI chip, computational and archi- 
tectural characteristics normally associated 
with much larger minicomputers. 


Sections 1.1, 1.2, and 1.3 provide an overview 
of the iAPX 286 architecture. Because the 
iAPX 286 represents a revolutionary exten- 
sion of the iAPX 86 architecture, some of this 
overview material may be new and unfamil- 
lar to previous users of the iAPX 86 and 
similar microprocessors. But the iAPX 286 is 
also an evolutionary development, with the 
new architecture superimposed upon the 
industry standard iAPX 86 in such a way as 
to affect only the design and programming of 
operating systems and other such system 
software. Section 1.4 provides a guide to the 
organization of this manual, suggesting 
which chapters are relevant to the needs of 
particular readers. 


1.1 GENERAL ATTRIBUTES 


The iAPX 286 base architecture has many 
features in common with the architecture of 
other members of the iAPX 86 family, such 
as byte addressable memory, I/O interfacing 
hardware, interrupt vectoring, and support for 
both multiprocessing and processor exten- 
sions. The entire family has a common set of 
addressing modes and basic instructions. The 


iAPX 286 base architecture also includes a 
number of extensions which add to the versa- 
tility of the computer. 


The 1APX 286 processor can function in two 
modes of operation (see section 1.2, Modes of 
Operation). In one of these modes only the 
base architecture is available to program- 
mers, whereas in the other mode a number of 
very powerful advanced features have been 
added, including support for virtual memory, 
multitasking, and a sophisticated protection 
mechanism. These advanced features are 
described in section 1.3. 


The iAPX 286 base architecture was designed 
to support programming in _ high-level 
languages, such as Pascal, C or PL/M. The 
register set and instructions are well suited to 
compiler-generated code. The addressing 
modes (see section 2.6.3) allow efficient 
addressing of complex data structures, such 
as static and dynamic arrays, records, and 
arrays within records, which are commonly 
supported by high-level languages. The data 
types supported by the architecture include, 
along with bytes and words, high level 
language constructs such as strings, BCD, and 
floating point. 


~The memory architecture of the iAPX 286 


was designed to support modular program- 
ming techniques. Memory is divided into 
segments, which may be of arbitrary size, that 
can be used to contain procedures and data 
structures. Segmentation has several advan- 
tages over more conventional linear memory 
architectures. It supports structured software, 
since segments can contain meaningful 
program units and data, and more compact 
code, since references within a segment can 
be shorter (and locality of reference usually 
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insures that the next few references will be 
within the same segment). Segmentation also 
lends itself to efficient implementation of 
sophisticated memory management, virtual 
memory, and memory protection. 


In addition, new instructions have been added 
to the base architecture to give hardware 
support for procedure invocations, parameter 
passing, and array bounds checking. — 


1.2 MODES OF OPERATION 


| The 1iAPX 286 can be operated in either of 

two different modes: Real Address Mode or 
Protected Virtual Address Mode (also 
referred to as Protected Mode). In either 
mode of operation, the iAPX 286 represents 
an upwardly compatible addition to the iAPX 
86 family of processors. _ 


In Real Address Mode, the iAPX 286 
operates essentially as a-very high-perfor- 
mance iAPX 86 (8086). Programs written for 
the iAPX 86 or the iAPX 186 can be executed 
in this mode without any modification. (the 

few exceptions are described in Appendix D, 
~ “Compatibility Considerations’’). Such 
upward compatibility extends even to the 
object code level; for example, an 8086 
program stored in read-only memory will 
execute successfully in iAPX 286 Real 
Address Mode. An iAPX 286 operating in 
Real Address Mode provides a number of 
instructions not found on the iAPX 86. These 
additional instructions, also present with the 
iAPX 186, allow for efficient subroutine 


linkage, parameter validation, index calcula- 


tions, and block I/O transfers. 


The advanced architectural features and full 
capabilities of the iAPX 286 are realized in 
its native Protected Mode. Among these 
features are sophisticated mechanisms to 
support data protection, system integrity, task 
concurrency, and memory management, 
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including virtual storage. Nevertheless, even 
in Protected Mode, the iAPX 286 remains 
upwardly compatible with most iAPX 86 and 
iAPX 186 application programs. Most iAPX 
86 applications programs can be re-compiled 
or re-assembled and executed on_ the 
iAPX 286 in Protected Mode. 


1.3 ADVANCED FEATURES 


The architectural features described i in section 
1.1 are common to both operating modes of 
the processor. In addition to these common 
features, Protected Mode provides a number 
of advanced features, including a greatly 
extended physical and logical address space, 
new instructions, and support for additional 
hardware-recognized data structures. The 
Protected Mode iAPX 286 includes a sophis- 
ticated memory management and multilevel 
protection mechanism. Full hardware support 
is included for cnubeltaskins and task switch- 
ing operations. 


1.3.1 Memory Management 


The memory architecture of the Protected 
Mode iAPX 286 represents a significant 
advance over that of the iAPX 86. The physi- 
cal address space has been increased from 


1 megabyte to 16 megabytes (2”4 bytes), while 


the virtual address space (i.e., the address 
space visible to a program) has been increased 
from | megabyte to | gigabyte (2°° bytes). 
Moreover, separate virtual address spaces are 
provided for each task in a _ multi- 
tasking system (see section 1.3.2, ‘‘Task 
Management’). 


The 1APX 286 supports on-chip memory 
management instead of relying on an exter- 
nal memory management unit. The one-chip 
solution is preferable because no software is 
required to manage an external memory 
management unit, performance is much 
better, and hardware designs ¢ are enincanty 
simpler. 
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Mechanisms have been included in the iAPX 
286 architecture to allow the efficient imple- 
mentation of virtual memory systems. (In 
virtual memory systems, the user regards the 
combination of main and external storage as 
a single large memory. The user can write 
large programs without worrying about the 
physical memory limitations of the system. To 
accomplish this, the operating system places 
some of the user programs and data in exter- 
nal storage and brings them into main 
memory only as they are needed.) All 
instructions that can cause a segment-not- 
present fault are fully restartable. Thus, a not- 
present segment can be loaded from external 
storage, and the task can be restarted at the 
point where the fault occurred. | 


The iAPX 286, like all members of the iAPX 
86 series, supports a segmented memory 
architecture. The iAPX 286 also fully 
integrates memory segmentation into a 
comprehensive protection scheme. This 
protection scheme includes hardware-enforced 
length and type checking to protect segments 
from inadvertent misuse. 


1.3.2 Task Management 


The iAPX 286 is designed to support multi- 
tasking systems. The architecture provides 
direct support for the concept of a task. For 
example, task state segments (see section 8.2) 
are hardware-recognized and hardware- 
manipulated structures that contain infor- 
mation on the current state of all tasks in the 
system. | 


Very efficient context-switching (task- 
switching) can be invoked with a single 
instruction. Separate logical address spaces 
are provided for each task in the system. 
Finally, mechanisms exist to support inter- 
task communication, synchronization, 
memory sharing, and task scheduling. Task 
Management is described in Chapter 8. 
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1.3.3 Protection Mechanisms 


The iAPX 286 allows the system designer to 
define a comprehensive protection policy to be 
applied, uniformly and continuously, to all 
ongoing operations of the system. Such a 
policy may be desirable to ensure system 
reliability, privacy of data, rapid error recov- 
ery, and separation of multiple users. 


The iAPX 286 protection mechanisms are > 
based on the notion of a “hierarchy of trust.” 
Four privilege levels are distinguished, 
ranging from Level 0 (most trusted) to Level 
3 (least trusted). Level 0 is usually reserved 
for the operating system kernel. The four 
levels may be visualized as concentric rings, 
with the most privileged level in the center 
(see figure 1-1). | 


This four-level scheme offers system reliabil- 
ity, flexibility, and design options not possible 
with the typical two-level (supervisor /user) 
separation provided by other processors. A 
four-level division is capable of separating 
kernel, executive, system services, and 
application software, each with different 
privileges. 


At any one time, a task executes at one of the 
four levels. Moreover, all data segments and 
code segments are also assigned to privilege 
levels. A task executing at one level cannot 
access data at a more privileged level, nor can 
it call a procedure at a less privileged level 
(i.e., trust a less privileged procedure to do 
work for it). Thus, both access to data and 
transfer of control are restricted in appro- 
priate ways. 


A complete separation can exist between the 
logical address spaces local to different tasks, 
providing users with automatic protection. 
against accidental or malicious interference by 
other users. The hardware also provides 
immediate detection of a number of fault and 
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Figure 1-1. Four Privilege Levels | 


error conditions, a feature that can be useful 
in the development and maintenance of 
software. 


Finally, these protection mechanisms require 
relatively little system overhead because they 
are integrated into the memory management 
and protection hardware of the processor 
itself. : 


1.3.4 Susaenl for “Operating Systems 


Most operating systems involve some degree 
of concurrency, with multiple tasks vying for 
system resources. The task management 
mechanisms described above provide the 
iAPX 286 with inherent support for such 
multi-tasking systems. Moreover, the 
advanced memory management features of 
the iAPX 286 allow the implementation of 
sophisticated virtual memory systems. 


Operating system implementors have found 
that a multi-level approach to system services 
provides better security and more reliable 
systems. For example, a very secure kernel 
might implement critical functions such as 
task scheduling and resource allocation, while 
less fundamental functions (such as I/O) are 
built around the kernel. This layered approach 
also makes program development and 
enhancement simpler and facilitates error 
detection and debugging. The iAPX 286 
supports the layered approach pies its 
four-level privilege scheme. 


1.4 ORGANIZATION OF THIS MANUAL 


To facilitate the use of this manual both as 
an introduction to the iAPX 286 architecture 
and as a reference guide, the remaining 
chapters are divided into three major parts. 
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Part I, comprising chapters 2 through 4, 
should be read by all those who wish to 
acquire a basic familiarity with the iAPX 286 
architecture. These chapters provide detailed 
information on memory segmentation, regis- 
ters, addressing modes and the general 
(application level) iAPX 286 instruction set. 
In conjunction with the iAPX 286 Assembly 
Language Reference Manual, these chapters 
provide sufficient information for an assem- 
bly language programmer to design and write 
application programs. 


The chapters in Part I are: 


Chapter 2, “Architectural Features.” This 
chapter discusses those features of the iAPX 
286 architecture that are significant for 
application programmers. The information 
presented can also function as an introduc- 
tion to the machine for system programmers. 
Memory organization and segmentation, 
processor registers, addressing modes, and 
instruction formats are all discussed. 


Chapter 3, “‘“Basic Instruction Set.” This 
chapter presents the core instructions of the 
iAPX 86 family. 


Chapter 4, “Extended Instruction Set.” This 
chapter presents the extended instructions 
shared by the iAPX 186 and iAPX 286 
processors. | 


Part II of the manual consists of a single 
chapter: 


Chapter 5, ‘““Real Address Mode.’’ This 
chapter presents the system programmer’s 
view of the i1APX 286 when the processor is 
operated in Real Address Mode. 


Part III of the manual comprises chapters 6 
through 11. Aimed primarily at system 
programmers, these chapters discuss the more 
advanced architectural features of the 1APX 


286, which are available when the processor 
is in Protected Mode. Details on memory 
management, protection mechanisms, and 
task switching are provided. 


The chapters in Part III are: 


Chapter 6, “Virtual Memory.” This chapter 
describes the iAPX 286 address translation 
mechanisms that support virtual memory. 
Segment descriptors, global and local 
descriptor tables, and descriptor caches are 
discussed. 

Chapter 7, “Protection.” This chapter 
describes the protection features of the iAPX 
286. Privilege levels, segment attributes, 
access restrictions, and call gates are 
discussed. 


Chapter 8, “Tasks and State Transitions.” 
This chapter describes the iAPX 286 mecha- 
nisms that support concurrent tasks. Context- 
switching, task state segments, task gates, and 
interrupt tasks are discussed. 


Chapter 9, “Interrupts, Traps and Faults.” 
This chapter describes interrupt and trap 
handling. Special attention is paid to the 
exception traps, or faults, which may occur in 
Protected Mode. Interrupt gates, trap gates, 
and the interrupt descriptor table are 
discussed. 


Chapter 10, “System Control and Initializa- 
tion.” This chapter describes the actual 
instructions used to implement the memory 
management, protection, and task support 
features of the iAPX 286. System registers, 
privileged instructions, and the initial machine 
state are discussed. 


Chapter 11, “Advanced Topics.” This chapter 
completes Part III with a description of 
several advanced topics, including special 
segment attributes and pointer validation. 


1.5 RELATED PUBLICATIONS 


The following manuals also contain informa- 
tion of interest to programmers of iAPX 
286/20 systems: 


@ Introduction to the iAPX 286, order 
~ ‘number 210308 © 


° ASM 286 ‘Assembly Language Reference 
Manual, order number 121924 


@ iAPX 286 Operating System Writer's 
Guide, order number 121960 
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iAPX 286 Hardware eeserence Manual, 
order number 210760 


Microprocessor ° and aie 
Handbook, order number 210844 


‘. PL/M-286 Users Guide, order auaiebee 


121945 | 


80287 Siapee Libiery Reference 


Manual, order number 122129 


8086 Software Toolbox Manual, order 
number 122203 (includes informaton 
about 80287 Emulator Software) 


ee | 
iAPX 286 Base Architecture 9 


CHAPTER 2 
iAPX 286 BASE ARCHITECTURE 


This chapter describes the iAPX 286 appli- 
cation programming environment as seen by 
assembly language programmers. It is 
intended to introduce the programmer to 
those features of the iAPX 286 architecture 
that directly affect the design and implemen- 
tation of iAPX 286 application programs. _ 


2.1 MEMORY ORGANIZATION AND 
SEGMENTATION 


The main memory of an iAPX 286 system 
makes up its physical address space. This 
address space is organized as a sequence of 
8-bit quantities, called bytes. Each byte is 
assigned a unique address ranging from 0 up 
to a maximum of 27° (1 megabyte) in Real 
Address Mode, and up to 274 (16 megabytes) 
in Protected Mode. 


A virtual address space is the organization of 
memory as viewed by a program. Virtual 
address space is also organized in units of 
bytes. (Other addressable units such as words, 
strings, and BCD digits are described below 
in section 2.2, ‘‘Data Types.’’) In Real 
Address Mode, as with the 8086 itself, 
programs view physical memory directly, 
inasmuch as they manipulate pure physical 
addresses. Thus, the virtual address space is 
identical to the physical address space (1 
megabyte). | | 


In Protected Mode, however, programs have 
no direct access to physical addresses. Instead, 
memory is viewed as a much larger virtual 
address space of 2°° bytes (1 gigabyte). This 
| gigabyte virtual address is mapped onto the 
Protected Mode’s 16-megabyte physical 


address space by the address translation. 


mechanisms described in Chapter 6.. 


The programmer views the virtual address 
space on the iAPX 286 as a collection of up 
to sixteen thousand linear subspaces, each 
with a specified size or length. Each of these 
linear address spaces is called a segment. A 
segment is a logical unit of contiguous 
memory. Segment sizes may range from one 
byte up to 64K (65,536) bytes. 


iAPX 286 memory segmentation supports the 
logical structure of programs and data in 
memory. Programs are not written as single 
linear sequences of instructions and data, but 
rather as modules of code and data. For 
example, program code may include a main 
routine and several separate procedures. Data 
may also be organized into various data 
structures, some private and some shared with 
Other programs in the system. Run-time 
stacks constitute yet another data require- 
ment. Each of these several modules of code 
and data, moreover, may be very different in 
size or vary dynamically with program 
execution. 


Segmentation supports this logical structure 
(see figure 2-1). Each meaningful module of 
a program may be separately contained in 
individual segments. The degree of modular- 
ization, of course, depends on the require- 
ments of a particular application. Use of 
segmentation benefits almost all applications. 
Programs execute faster and require less 
space. Segmentation also simplifies the design 
of structured software. 


2.2 DATA TYPES 


Bytes and words are the fundamental units in 
which the iAPX 286 manipulates data, 1.e., 
the fundamental data types. 
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Figure 2-1. 


A byte is 8 contiguous bits starting on an 
addressable byte boundary. The bits are 
numbered 0 through 7, starting from the 
right. Bit 7 is the most significant bit: 


A word is defined as two contiguous bytes 
starting on an arbitrary byte boundary; a word 
thus contains 16 bits. The bits are numbered 
0 through 15, starting from the right. Bit 15 
is the most significant bit. The byte contain- 
ing bit 0 of the word is called the low byte; 
the byte containing bit 15 is called the high 
byte. 
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Segmented Virtual Memory _ 


Each byte within a word has its own particu- 
lar address, and the smaller of the two 
addresses is used as the address of the word. 
The byte at this lower address:contains the 
eight least significant bits of the word, while 
the byte at the higher address contains the 
eight most significant bits. The arrangement 
of bytes within words is illustrated in 
figure 2-2. a _—— 


Note that a word need not be aligned at an 
even-numbered byte address. This allows 
maximum flexibility in data structures (e.g., 
records containing mixed byte and word 
entries) and efficiency in memory utilization. 
Although actual transfers of data between the 
processor and memory take place at physi- 
cally aligned word boundaries, the iAPX 286 


converts requests for unaligned words into the 


appropriate sequences of requests acceptable 
to the memory interface. Such odd aligned 
word transfers, however, may impact 
performance by requiring two memory cycles 
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Figure 2-2. Bytes and Words in Memory 


to transfer the word rather than one. Data 
structures (e.g., stacks) should therefore be 
designed in such a way that word operands 
are aligned on word boundaries whenever 
possible for maximum system performance. 
Due to instruction prefetching and queueing 
within the CPU, there is no requirement for 
instructions to be aligned on word boundaries 
and no performance loss if they are not. 


Although bytes and words are the fundamen- 
tal data types of operands, the processor also 
supports additional interpretations on these 
bytes or words. Depending on the instruction 
referencing the operand, the following 
additional data types can be recognized: 


Integer: 


A signed binary numeric value contained 
in an 8-bit byte or a 16-bit word. All 
Operations assume a 2’s complement 
representation. (Signed 32- and 64-bit 
integers are supported using the iAPX 
286/20 Numeric Data Processor.) 
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Ordinal: 


An unsigned binary numeric value 
contained in an 8-bit byte or 16-bit word. 


Pointer: 


A 32-bit address quantity composed of a 
segment selector component and an offset 
component. Each component is a 16-bit 
word. 


String: 


A contiguous sequence of bytes or words. 
A string may contain from | byte to 64K 
bytes. 


ASCII: 


A byte representation of alphanumeric and 
control characters using the ASCII 
standard of character representation. 


BCD: 


A byte (unpacked) representation of the 
decimal digits (0-9). 


Packed BCD: 


A byte (packed) representation of two 
decimal digits (0-9). One digit is stored in 
each nibble of the byte. 


Floating Point: 


A signed 32-, 64-, or 80-bit real number 
representation. (Floating operands are 
supported using the iAPX 286/20 Numeric 
Processor Configuration. ) 


Figure 2-3 graphically represents the data 
types supported by the 1APX 286. iAPX 286 
arithmetic operations may be performed on 
five types of numbers: unsigned binary, signed 
binary (integers), unsigned packed decimal, 
unsigned unpacked decimal, and floating 
point. Binary numbers may be 8 or 16 bits 
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long. Decimal numbers are stored in bytes; 
two digits per byte for packed decimal, one 
digit per byte for unpacked decimal. The 
processor always assumes that the operands 
specified in arithmetic instructions contain 
data that represent valid numbers for the type 
of instruction being performed. Invalid data 
may produce unpredictable results. 


Unsigned binary numbers may be either 8 or 
16 bits long; all bits are considered in deter- 
mining a number’s magnitude. The value 
range of an 8-bit unsigned binary number is 
0-255; 16 bits can represent values from 0 
through 65,535. Addition, subtraction, multi- 


plication and division operations are available | 


for unsigned binary numbers. 


Signed binary numbers (integers) may be 
either 8 or 16 bits long. The high-order 


(leftmost) bit is interpreted as the number’s 


sign: 0=positive and 1=negative. Negative 
numbers are represented in standard two’s 
complement notation. Since the high-order bit 
is used for a sign, the range of an 8-bit integer 
is —128 through +127; 16-bit integers may 
range from —32,768 through + 32,767. The 
value zero has a positive sign. 


Separate multiplication and division opera- 
tions are provided for both signed and 
unsigned binary numbers. The same addition 
and subtraction instructions are used with 
signed or unsigned binary values. Conditional 
jump instructions, as well as an “interrupt on 
overflow” instruction, can be used following 
an unsigned operation on an integer to detect 
overflow into the sign bit. 


Unpacked decimal numbers are stored as 
unsigned byte quantities. One digit-is stored 
in each byte. The magnitude of the number 
is determined from the low-order half-byte; 
hexadecimal values 0-9 are valid and are 
interpreted as decimal numbers. The high- 


order half-byte must be zero for multiplica- 
tion and division; it may contain any value for 
addition and subtraction. 


Arithmetic on unpacked decimal numbers is 
performed in two steps. The unsigned binary 
addition, subtraction and multiplication 
operations are used to produce an intermedi- 
ate result. An adjustment instruction then 
changes the value to a final correct unpacked 
decimal number. Division is performed 
similarly, except that the adjustment is carried 
out on the two digit numerator operand in 
register AX first, followed by an unsigned 
binary division instruction that produces a 
correct result. | 


Unpacked decimal numbers are similar to the 
ASCII character representations of the digits 
0-9. Note, however, that the high-order half- 
byte of an ASCII numeral is always 3. 
Unpacked decimal arithmetic may be. 
performed on ASCII numeric characters 
under the following conditions: 


@ the high-order half-byte of an ASCII 
numeral must be set to OH prior to 
multiplication or division. 


® unpacked decimal arithmetic leaves the 
high-order half-byte set to OH; it must be 
set to 3 to produce a valid ASCII 
numeral. 


Packed decimal numbers are stored as 
unsigned byte quantities. The byte is treated 
as having one decimal digit in each half-byte 
(nibble); the digit in the high-order half-byte 
is the most significant. Values 0-9 are valid 
in each half-byte, and the range of a packed 
decimal number is 0-99. Additions and 
subtractions are performed in two steps. First, 
an addition or subtraction instruction is used 
to produce an intermediate result. Then, an 
adjustment operation is performed which 
changes the intermediate value to a final 
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correct packed decimal result. Multiplication 
and division adjustments are only available for 
unpacked decimal numbers. — 


Pointers and addresses are described below in 
section 2.3.3, “‘Index, Pointer, and Base 
Registers,’ and in section 3.8, ‘‘Address 
Manipulation Instructions.” | 


Strings are contiguous bytes or words from | 
to 64K bytes in length. They generally contain 
ASCII or other character data representa- 
tions. The 1:APX 286 provides string manip- 
ulation instructions to move, examine, or 
modify a string (see section 3.7, “Character 
Translation and String Instructions”). 


If the 80287 numerics processor extension 
(NPX) is present in the system (the iAPX 


286/20 configuration) see Numeric 


Supplement following Appendix D—the 
iAPX 286 architecture also supports floating 
point numbers, 32- and 64-bit integers, and 
18-digit BCD data types. 


The iAPX 286/20 Numeric Data Processor 
supports and stores real numbers in a three- 
field binary format as required by IEEE 
standard 754 for floating point numerics (see 
figure 2-3). The number’s significant digits 
are held in the significand field, the exponent 
field locates the binary point within the 
significant digits (and therefore determines 
the number’s magnitude), and the sign field 
indicates whether the number is positive or 
negative. (The exponent and significand are 
analogous to the terms “characteristic”? and 
“mantissa,” typically used to describe float- 
ing point numbers on some computers.) This 
format is used by the iAPX 286/20 with 
various length significands and exponents to 
support single precision, double precision and 
extended (80-bit) precision floating point data 
types. Negative numbers differ from positive 
- numbers only in their sign bits. 7 
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2.3 REGISTERS 


The iAPX 286 contains a total of fourteen 
registers that are of interest to the applica- 
tion programmer. (Five additional registers 
used by system programmers are covered in 
section 10.1.) As shown in figure 2-4, these 
registers may be grouped into four basic 
categories: 7 


® General registers. These eight 16-bit 
general-purpose registers are used 
primarily to contain operands for arith- 
metic and logical operations. 


@ Segment registers. These four special- 
purpose registers determine, at any given 
time, which segments of memory are 
currently addressable. _ 


e Status and Control registers. These three 
special-purpose registers are used to 
record and alter certain aspects of the 
iAPX 286 processor state. 


2.3.1 General Registers 


The general registers of the iAPX 286 are the 
16-bit registers AX, BX, CX, DX, SP, BP, 
SI, and DI. These registers are used inter- 
changeably to contain the operands of logical 
and arithmetic operations. 


Some instructions and addressing modes (see 
section 2.4), however, dedicate certain general 
registers to specific uses. BX and BP are often 
used to contain the base address of data 


_ structures in memory (for example, the start- 


ing address of an array); for this reason, they 
are often referred to as the base registers. 
Similarly, SI and DI are often used to contain 
an index value that will be incremented to step 
through a data structure; these two registers 
are called the index registers. Finally, SP and 
BP are used for stack manipulation. Both SP 
and BP normally contain offsets into the 
current stack. SP generally contains the offset 
of the top of the stack and BP contains the 
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offset or base address of the current stack 
frame. The use of these general-purpose 
registers for operand addressing is discussed 
in section 2.3.3, “Index, Pointer, and Base 
Registers.’ Register usage for individual 
instructions is discussed in chapters 3 and 4. 


As shown in figure 2-4, eight byte registers 
overlap four of the 16-bit general registers. 
These registers are named AH, BH, CH, and 
DH (high bytes); and AL, BL, CL, and DL 
(low bytes); they overlap AX, BX, CX, and 
DX. These registers can be used either in their 
entirety or as individual 8-bit registers. This 
dual interpretation simplifies the handling of 
both 8- and 16-bit data elements. 


2.3.2 Memory Segmentation and Segment 
Registers 


Complete programs generally consist of many 
different code modules (or segments), and 
different types of data segments. However, at 
any given time during program execution, 
only a small subset of a program’s segments 


16-BIT SPECIAL 
REGISTER eo REGISTER 
NAME FUNCTIONS 


are actually in use. Generally, this subset will 
include code, data, and possibly a stack. The 
iAPX 286 architecture takes advantage of this 
by providing mechanisms to support direct 
access to the working set. of a program’s 
execution environment and access to 
additional segments on demand. 


At any given instant, four segments of 
memory are immediately accessible to an 
executing iAPX 286 program. The segment 
registers DS, ES, SS, and CS are used to 
identify these four current segments. Each of 
these registers specifies a particular kind of 
segment, as characterized by the associated 
mnemonics (“‘code,”’ “‘stack,”’ ‘“‘data,”’ or 
extra”) shown in figure 2-4. 


An executing program is provided with 
concurrent access to the four individual 
segments of memory—a code segment, a stack 
segment, and two data segments—by means 
of the four segment registers. Each may be ~ 
said to select a.segment, since it uniquely 
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Figure 2-4. iAPX 286 Base Architecture Register Set 
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determines the one particular segment from 
among the numerous segments in memory, 
which is to be immediately accessible at 
highest speed. Thus, the 16-bit contents of a 
segment register is called a segment selector. 


Once a segment is selected, a base address is 
associated with it. To address an element 
within a segment, a 16-bit offset from the 
segment’s base address must be supplied. The 
16-bit segment selector and the 16-bit offset 
taken together form the high and low order 
halves, respectively, of a 32-bit virtual address 
pointer. Once a segment is selected, only the 
lower 16-bits of the pointer, called the offset, 
generally need to be specified by an instruc- 
tion. Simple rules define which segment 
register is used to form an address when only 
a 16-bit offset is specified. | 


An executing program requires, first of all, 
that its instructions reside somewhere in 
memory. The segment of memory containing 
the currently executing sequence of instruc- 
tions is known as the current code segment; it 
is specified by means of the CS register. All 
instructions are fetched from this code 
segment, using as an offset the contents of the 
instruction pointer (IP). The CS:IP register 
combination therefore forms the full 32-bit 
pointer for the next sequential program 
instruction. The CS register is manipulated 
indirectly. Transitions from one code segment 
to another (e.g., a procedure call) are effected 
implicitly as the result of control-transfer 
instructions, interrupts, and trap operations. 


Stacks play a fundamental role in the iAPX 
286 architecture; subroutine calls, for 
example, involve a number of implicit stack 
operations. Thus, an executing program will 
generally require a region of memory for its 
stack. The segment containing this region is 


known as the current stack segment, and it is. 


specified by means of the SS register. All 
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stack operations are performed within this 
segment, usually in terms of address offsets 
contained in the stack pointer (SP) and stack 
frame base (BP) registers. Unlike CS, the SS 
register can be loaded explicitly for dynamic 
stack definition. 


Beyond their code and stack requirements, 
most programs must also fetch and store data 
in memory. The DS and ES registers allow 
the specification of two data segments, each 
addressable by the currently executing 
program. Accessibility to two separate data 
areas supports differentiation and access 
requirements like local procedure data and 
global process data. An operand within a data 
segment is addressed by specifying its offset 
either directly in an instruction or indirectly 
via index and/or base registers desenibed in 
the next subsection). 


Depending on the data structure se g., the way 
data is parceled into one or more segments), 
a program may require access to multiple data 
segments. To access additional segments, the 
DS and ES registers can be loaded under 
program control during the course of a 
program’s execution. This simply requires 
loading the appropriate data pointer prior to 
accessing the data. 


The interpretation of segment selector values 


depends on the operating mode of the proces- 


sor. In Real Address Mode, a segment selec- 


tor is a physical address (figure 2-5). In 


_ Protected Mode, a segment selector selects a 


segment of the user’s virtual address space 
(figure 2-6). An intervening level of logical- 
to-physical address translation converts the 
logical address to a physical memory address. 
Chapter 6, “Memory Management,” provides 
a detailed discussion of Protected Mode 
addressing. In general, considerations of 
selector formats and the details of memory 
mapping need not concern the application 
programmer. 
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1 MEGABYTE PHYSICAL 
ADDRESS SPACE 


|. THE SELECTOR IDENTIFIES A SEGMENT IN PHYSICAL MEMORY. 

. A SELECTOR SPECIFIES THE SEGMENTS BASE ADDRESS, MODULO 16, WITHIN 
THE 1 MEGABYTE ADDRESS SPACE. 

. THE SELECTOR IS THE 16 MOST SIGNIFICANT BITS OF A SEGMENT’S PHYSICAL 
BASE ADDRESS. 

. THE VALUES OF SELECTORS DETERMINES THE AMOUNT THEY OVERLAP IN REAL 
MEMORY. 

. SEGMENTS MAY OVERLAP BY INCREMENTS OF 16 BYTES. OVERLAP RANGES FROM 
COMPLETE (SEG 1 = SEG 1) TO NONE (SEG 1 + SEG 2 + 64K) 


Figure 2-5. Real Address Mode Segment Selector Interpretation 


SEG 3FFF 
SEG 3FFE 


1 GIGABYTE 
VIRTUAL ADDRESS 
SPACE 


SELECTOR 


1 TO 64K BYTES | 


NOTES: 1. A SELECTOR UNIQUELY IDENTIFIES (NAMES) ONE OF 16K POSSIBLE SEGMENTS IN THE 
TASK’S VIRTUAL ADDRESS SPACE. , 
2. THE SELECTOR VALUE DOES NOT SPECIFY THE SEGMENT’S LOCATION IN PHYSICAL 
MEMORY. 
3. THE SELECTOR DOES NOT IMPLY ANY OVERLAP WITH OTHER SEGMENTS (THIS 
DEPENDS ON THE BASE ADDRESS OF THE SEGMENT AS SPECIFIED VIA THE MEMORY 
MANAGEMENT AND PROTECTION INFORMATION). 


Figure 2-6. Protected Mode Segment Selector Interpretation 
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2.3.3 Index, Pointer, and Base Registers 


Five of the general-purpose registers are 
available for offset address calculations. These 
five registers, shown in figure 2-4, are SP, BP, 
BX, SI, and DI. SP is called a pointer regis- 


ter, BP and BX are called base registers, SI 


and DI are called index registers. 


As described in the previous section, segment 
. registers define the set of four segments 
currently addressable by a program. A 
pointer, base, or index register may contain 
an offset value relative to the start of one of 


these segments; it thereby points to a partic- . 


ular operand’s location within that segment. 


To allow for efficient computations of effec-- 


tive address offsets, all base and index regis- 
ters may. participate interchangeably as 
operands in most arithmetical operations. 


Stack operations are facilitated by the stack — 


pointer (SP) and stack frame base (BP) 
registers. By specifying offsets into the current 
stack segment, each of these registers provides 
access to data on the stack. The SP register 


is the customary top-of-stack pointer, | 
addressing the uppermost datum on a push-. 


down stack. It is referenced implicitly by 
PUSH and POP operations, subroutine calls, 
and interrupt operations. The BP register 
provides yet another offset into the stack 
segment. The existence of this stack relative 
base register, in conjunction with certain 
addressing modes described in section 2.6.3, 
is particularly useful for accessing data struc- 
tures, variables and dynamically allocated 


_work space within the stack. 


Stacks in the i1APX 286 are implemented in 


~ memory and are located by the stack segment 


register (SS) and the stack pointer register 


(SP). A system may have an unlimited 
- number of stacks, and a stack may be up to 


64K bytes long, the maximum length of a 
segment. 


One stack is directly addressable at a time; 
this is the current stack, often referred to 
simply as “the” stack. SP contains the current 
top of the stack (TOS). In other words, SP 
contains the offset to the top of the push down 
stack from the stack segment’s base address. 
Note, however, that the stack’s base address 
(contained in SS) is not the “bottom” of the 
stack (figure 2-7). 


LOGICAL 
<——— BOTTOM OF STACK 
(initial SP value) 


POP-UP 


LOGICAL 
TOP OF STACK 


PUSH-DOWN 


STACK SEGMENT BASE ADDRESS 


_ Figure 2-7. iAPX 286 Stack 
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iAPX 286 stack entries are 16 bits wide. 
Instructions operate on the stack by adding 
and removing stack items one word at a time. 
An item is pushed onto the stack (see figure 
2-8) by decrementing SP by 2 and writing the 
item at the new TOS. An item is popped off 
the stack by copying it from TOS and then 
incrementing SP by 2. In other words, the 
stack grows down in memory toward its base 
address. Stack operations never move items 
on the stack; nor do they erase them. The top 
of the stack changes only as a result of updat- 
ing the stack pointer. 


The stack frame base pointer (BP) is often 


used to access elements on the stack relative 


to a fixed point on the stack rather than 
relative to the current TOS. It typically 
identifies the base address of the current stack 
frame established for the current procedure 
(figure 2-9). If an index register is used 
relative to BP (e.g., base + index addressing 
mode using BP as the base), the offset will be 
calculated automatically in the current stack 
segment. | 


- Accessing data structures in data segments is 
facilitated by the BX register, which has the 
same function in addressing operands within 
data segments that BP does for stack 
segments. They are called base registers 
because they may contain an offset to the base 
of a data structure. The similar usage of these 
two registers is especially important when 
discussing addressing modes (see section 7 4, 
‘Addressing Modes’). 


Operations on data are also facilitated by the 
SI and DI registers. By specifying an offset 
relative to the start of the currently address- 
able data segment, an index register can be 
used to address an operand in the segment. If 
an index register is used in conjunction with 
the BX base register (i.e., base + index 
addressing) to form an offset address, the data 
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is also assumed to reside in the current data 
segment. As a rule, data referenced through 
an index register or BX is presumed to reside 
in the current data segment. That is, if an 
instruction invokes addressing for one of its 
operands using either BX, DI, SI, or BX with 
SI or DI, the contents of the register(s) (BX, 
DI, or SI) implicitly specify an offset in the 
current data segment. As previously men- 
tioned, data referenced via SP, BP or BP with 
SI or DI implicitly specify an operand in the 
current stack segment (refer to table 2-1). 


There are two exceptions to the rules listed 
above. The first concerns the operation of 
certain iAPX 286 string instructions. For the 
most flexibility, these instructions assume that 
the DI register addresses destination strings 
not in the data segment, but rather in the 
extra segment (ES register). This allows 
movement of strings between different 
segments. This has led to the descriptive 
names “‘source index’ and ‘“‘destination 
index.” In all cases other than string instruc- 
tions, however, the SI and DI registers may 
be used interchangeably to reference either 
source or destination operands. 


Table 2-1. Implied Segment Usage by Index, 


Pointer, and Base Registers 


Implied Segment 


DS, ES for String Operations 
Ss 
DS 


BP + Sl, Dl 
BX + Sl, Dl 


NOTE: 


All implied Segment usage, except SP to SS and DI 
to ES for String Operations, may be explicitly speci- 
fied with a segment override prefix for any of the four 
segments. The prefix precedes the instruction for 
which explicit reference is desired. 
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STACK OPERATION FOR CODE SEQUENCE:  ” STACK 


SEGMENT __- 
PUSH AX 
POP AX = ih 
POP BX | 1062 


10 000 
106011 1 1 1 
| BOTTOM _ 


SS sP_ 


SELECTOR OFFSET 


NOT PRESENTLY. 
USED 


EXISTING STACK BEFORE PUSH 


- STACK 
SEGMENT 


SS : SP 


| SELECTOR | OFFSET | 


STACK 
SEGMENT | 


SS | SP 


SELECTOR OFFSET ; 


Figure 2-8. Stack Operation 
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BP IS A CONSTANT POINTER TO STACK BASED VARIABLES AND WORK SPACE. ALL REFERENCES 
USE BP AND ARE INDEPENDENT OF SP, WHICH MAY VARY DURING A ROUTINE EXECUTION. 


PROC N 
PUSH AX 
PUSH ARRAY_SIZE 
CALL PROC_N+-1. ——————— PROC_N+1: 
PUSH BP 
PUSH CX 
MOV BP, SP 
SUB SP, WORK_SPACE 


‘“*PROCEDURE BODY”’ 


MOV SP, BP 
POP CX 
POP BP 
RET 


BOTTOM OF 
STACK 


PROCEDURE N STACK FRAME 


PROCEDURE N+ 1 STACK FRAME | 


DYNAMICALLY ALLOCATED ON 
DEMAND RATHER THAN STATICALLY 


TOP OF STACK 


STACK SEGMENT BASE 


Figure 2-9. BP Usage as a Stack Frame Base Pointer 
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A second more general override capability 
allows the programmer complete control of 
which segment is used for a specific opera- 
tion. Segment-override prefixes, discussed in 
section 2.4.3, allow the index and base regis- 
ters to address data in any of the four 
currently addressable segments. 


2.3.4 Status and Control Registers 


Two status and control registers are of 
immediate concern to applications program- 
mers: the instruction pointer and the FLAGS 
registers. | 


The instruction pointer register (IP) contains 
the offset address, relative to the start of the 
current code segment, of the next sequential 
instruction to be executed. Together, the 
CS:IP registers thus define a 32-bit program- 
counter. The instruction pointer is not directly 


visible to the programmer; it is controlled ~~ 
implicitly, by interrupts, traps, and control- _. 


transfer operations. 


STATUS FLAGS: 
CARRY 

PARITY ) 
AUXILIARY CARRY 


OVERFLOW 


FLAGS: 


The FLAGS register encompasses eleven flag 
fields, mostly one-bit wide, as shown in figure 
2-10. Six of the flags are status flags that 
record processor status information. The 
status flags are affected by the execution of 
arithmetic and logical instructions. The carry 
flag is also modifiable with instructions that 
will clear, set or complement this flag bit. See. 


Chapters 3 and 4. 


The carry flag (CF) generally indicates a 
carry or borrow out of the most significant 
bit of an 8- or 16-bit operand after perform- 


ing an arithmetic operation; this flag is also 


useful for bit manipulation operations involv- 
ing the shift and rotate instructions. The effect 
on the remaining status flags, when defined 


for a particular instruction, is generally as 


’ Figure 2-10. Flags Register — 


2-14 


follows: the zero flag (ZF) indicates a zero: 
result when set; the sign flag (SF) indicates 


_whether the result was negative (SF=1) or 
- positive (SF=0); when set, the overflow flag 
(OF) indicates whether an operation results 


CONTROL FLAGS: 
— TRAP FLAG 

INTERRUPT ENABLE 

DIRECTION FLAG 


SPECIAL FIELDS: 


1/0 PRIVILEGE LEVEL 
NESTED TASK FLAG 
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in a carry into the high order bit of the result 
but not a carry out of the high-order bit, or 
vice versa; the parity flag (PF) indicates 
whether the modulo 2 sum of the low-order 
eight bits of the operation is even (PF=O) or 
odd (PF=1) parity. The auxiliary carry flag 
(AF) represents a carry out of or borrow into 
the least significant 4-bit digit when perform- 


ing binary coded decimal (BCD) arithmetic. | 


The FLAGS register also contains three 
control flags that are used, under program 
control, to direct certain processor opera- 
tions. The interrupt-enable flag (IF), if set, 
enables external interrupts; otherwise, inter- 
rupts are disabled. The trap flag (TF), if set, 
puts the processor into a single-step mode for 
debugging purposes where the target program 
is automatically interrupted to a user supplied 
debug routine after the execution of each 
target program instruction. The direction flag 
(DF) controls the forward or backward direc- 
tion of string operations: 0 = forward or auto 
increment the address register(s) (SI, DI or 
SI and DI), 1 = backward or auto-decre- 
ment the address register(s) (SI, DI or SI and 
DI). 


In general, the interrupt enable flag may be 
set or reset with specialinstructions (STI = set, 
CLI = clear) or by placing the flags on the 
stack, modifying the stack, and returning the 
flag image from the stack to the flag register. 
If operating in Protected Mode, the ability to 


alter the IF bit is subject to protection checks — 


to prevent non-privileged programs from 
effecting the interrupt state of the CPU. This 
applies to both instruction and stack options 
for modifying the IF bit. 


The TF flag may only be modified by copying | 


the flag register to the stack, setting the TF 
bit in the stack image, and returning the 
modified stack image to the flag register. The 
trap interrupt occurs on completion of the 


next instruction. Entry to the single step 
routine saves the flag register on the stack 
with the TF bit set, and resets the TF bit in 
the register. After completion of the single 
step routine, the TF bit is automatically set 
on return to the program being single stepped 
to interrupt the program again after comple- 
tion of the next instruction. Use of TF is not 
inhibited by the protection mechanism in 
Protected Mode. : 


The DF flag, like the IF flag, is controlled by 
instructions (CLD = clear, STD = set) or 
flag register modification through the stack. 
Typically, routines that use string instruc- 
tions will save the flags on the stack, modify 
DF as necessary via the instructions provided, 
and restore DF to its original state by restor- 
ing the Flag register from the stack before 
returning. Access or control of the DF flag is 
not inhibited by the protection mechanism in 
Protected Mode. 


The Special Fields bits are only relevant in 
Protected Mode. Real Address Mode 
programs should treat these bits as don’t- 
care’s, making no assumption about their 
status. Attempts to modify the IOPL and NT 
fields are subject to protection checking in 
Protected Mode. In general, the application’s 
programmer will not be able to and should 
not attempt to modify these bits. (See section 
9.4, “Privileged and Trusted Instructions” for 
more details. ) 


2.4 ADDRESSING MODES 


The information encoded in an iAPX 286 
instruction includes a specification of the 
Operation to be performed, the type of the 
operands to be manipulated, and the location 
of these operands. If an operand is located in 
memory, the instruction must also select, 
explicitly or implicitly, which of the currently 
addressable segments contains the operand. 
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This section covers the operand addressing 
mechanisms; iAPX 286 operators are 
discussed in Chapter 3. . 2 3 


The five elements of a general instruction are 
briefly described below. The exact format of 
iAPX 286 instructions is specified in 
Appendix B. 


@ The opcode is present in all instructions; 
in fact, it is the only required element. Its 
principal function is the specification of 
the operation performed © by _ the 
instruction. | | | 


e A register specifier. 


@ The addressing mode specifier, when 
present, is used to specify the addressing 
mode of an operand for referencing data 
or performing indirect calls or jumps. 


@ The displacement, when present, is used 
to compute the effective address of an 
operand in memory. 


@ The immediate operand, when present, 
directly specifies one operand of the 
instruction. : 


Of the four elements, only one, the opcode, is — 


always present. The other elements may or 
may not be present, depending on the partic- 
ular operation involved and on the location 
and type of the operands. | 


2.4.1 Operands 


Generally speaking, an instruction is an 
operation performed on zero, one, or two 
operands, which are the data manipulated by 
the instruction. An operand can be located 
either in a register (AX, BX, CX, DX, SI, 
DI, SP, or BP in the case of 16-bit operands; 
AH, AL, BH, BL, CH, CL, DH, or DL in 
the case of 8-bit operands; the FLAG register 
for flag operations in the instruction itself (as 
an immediate operand)), or in memory or an 
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I/O port. Immediate operands and operands 
in registers can be accessed more rapidly than 
operands in memory since memory operands 
must be fetched from memory while immedi- 
ate and register operands are available in the 
processor. | | 


An iAPX 286 instruction can reference zero, 
one, or two operands. The three forms are as 
follows: . 


@ Zero-operand instructions, such as RET, 
NOP, and HLT. Consult Appendix B. 


@ One-operand instructions, such as INC or 


DEC. The location of the single operand 
can be specified implicitly, as in AAM 
(where the register AX contains the 
operand), or explicitly, as in INC (where 

the operand can be in any register or 
memory location). Explicitly specified 

_ operands are accessed via one of the 

_ addressing modes described in section 
2.4.2. 


@ Two operand instructions such as MOV, 


ADD, XOR, etc., generally overwrite one 
of the two participating operands with the 
result. A distinction can thus be made 
between the source operand (the one left 
unaffected by the operation) and the 
destination operand (the one overwritten 
by the result). Like one-operand instruc- 
tions, two-operand instructions can 
specify the location of operands either 
explicitly or implicitly. If an instruction 
contains two explicitly specified operands, 
only one of them—either the source or the 
destination—can be in a register or 
memory location. The other operand must 
be in a register or be an immediate source 
operand. Special. cases of two-operand 
instructions are the string instructions and 
stack manipulation. Both operands of 
some string instructions are in memory 
and are explicitly specified. Push and pop 
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stack operations allow transfer between 
memory operands and the memory based 
stack. 


Thus, the two-operand instructions of the 
iAPX 286 permit operations of the following 
sort: 


@e Register-to-register 

@ Register-to-memory 

@ Memory-to-register 

@e Immediate-to-register 
@ Immediate-to-memory 


@ Memory-to-memory 


Instructions can specify the location of their 
operands by means of eight addressing modes, 
which are described in sections 2.4.2 
and 2.4.3. 


2.4.2 Register and Immediate Modes 


Two addressing modes are used to reference 
operands contained in registers and 
instructions: 


@ Register Operand Mode. The operand is 
located in one of the 16-bit registers (AX, 
BX, CX, DX, SI, DI, SP, or BP) or in 
one of the 8-bit general registers (AH, 
BH, CH, DH, AL, BL, CL, or DL) 


Special instructions are also included for 
referencing the CS, DS, ES, SS, and Flag 
registers as operands also. 


@ Immediate Operand Mode. The operand 
is part of the instruction itself (the 
immediate operand element). 


2.4.3 Memory Addressing Modes 


Six modes are used to access operands in 
memory. Memory operands are accessed by 
means of a pointer consisting of a segment 
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selector (see section 2.3.2) and an offset, 
which specifies the operand’s displacement in 
bytes from the beginning of the segment in 
which it resides. Both the segment selector 
component and the offset component are 
16-bit values. (See section 2.1 for a discus- 
sion of segmentation.) Only some instruc- 
tions use a full 32-bit address. 


Most memory references do not require the 
instruction to specify a full 32-bit pointer 
address. Operands that are located within one 
of the currently addressable segments, as 
determined by the four segment registers (see 
section 2.3.2, “Segment Registers”), can be 
referenced very efficiently simply by means 
of the 16-bit offset. This form of address is 
called by short address. The choice of segment 
(CS, DS, ES, or SS) is either implicit within 
the instruction itself or explicitly specified by 
means of a segment override prefix (see 
below). 


See figure 2-11 for a diagram of the address- 
ing process. 


2.4.3.1 SEGMENT SELECTION 


All instructions that address operands in 
memory must specify the segment and the 
offset. For speed and compact instruction 
encoding, segment selectors are usually stored 
in the high speed segment registers. An 
instruction need specify only the desired 
segment register and an offset in order to 
address a memory operand. 


Most instructions need not explicitly specify 


-which segment register is used. The correct 


segment register is automatically chosen 
according to the rules of table 2-1 and table 
2-2. These rules follow the way programs are 
written (see figure 2-12) as independent 
modules that require areas for code and data, 
a stack, and access to external data areas. 
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POINTER 
EI EEE EEE SEES DTS EOE TICES EST 


OPERAND 
SELECTED SELECTED 
SEGMENT 


MEMORY 


Figure 2-11. Two-Component Address 


Table 2-2. Segment Register Selection Rules 
Implicit Segment 


Memory Segment pagistet 
Reference Needed Used Selection Rule 


Code (CS) Automatic with instruction prefetch. 


Stack (SS) : All stack pushes and pops. Any memory refer- 
a | ence which uses BP as a base register. 


~ Local Data | | Data (DS) 


All data references except when relative to stack 
or string destination. 


External (Global) Data Extra (ES) i et Alternate data segment and destination of sing 
: | | | operation. | 


There is a close connection between the type tion, in which case the current stack segment 
of memory reference and the segment in is implied (i.e, SS contains the selector). 
which that operand resides (see the next. 7 | _ 
section for a discussion of how memory | The iAPX 286 instruction set defines special 
addressing mode calculations are performed). instruction prefix elements (see Appendix B). 

As a rule, a memory reference implies the One of these is SEG, the segment-override 
current data segment (i.e., the implicit. prefix. Segment-override prefixes allow .an 
segment selector is in DS) unless the BP __ explicit segment selection: Only in two special 
register is involved in the address specifica- cases—namely, the use of DI to reference 
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MODULE A 


MODULE B 


PROCESS 
STACK 


PROCESS 
DATA 
BLOCK 1 


PROCESS 
DATA 
BLOCK 2 


| 
emer | 
MEMORY 


Figure 2-12. Use of Memory Segmentation 


destination strings in the ES segment, and the 
use of SP to reference stack locations in the 
SS segment—is there an implied segment 
selection which cannot be overridden. The 
format of segment override prefixes is shown 
in Appendix B. 


2.4.3.2 OFFSET COMPUTATION | 


The offset within the desired segment is 
calculated in accordance with the desired 
addressing mode. The offset is calculated by 
taking the sum of up to three components: 


@ the displacement element in the instruc- 


tion 


@ the base (contents of BX or BP—a base 
register) 


@ . the index (contents of SI or DI—an index 
register) 


Each of the three components of an offset may 
be either a positive or negative value. Offsets 
are calculated modulo 2'°. 


The six memory addressing modes are gener- 
ated using various combinations of these three 
components. The six modes are used for 
accessing different types of data stored in 
memory: 


addressing mode offset calculation 


displacement alone 
base or index alone 
base + displacement 
index + displacement 
base + index 

base + index + disp 


direct address 

register indirect 

based 

indexed 

based indexed 

based indexed with 
displacement 


In all six modes, the operand is located at the 
specified offset within the selected segment. 
All displacements, except direct address mode, 
are optionally 8- or 16-bit values. 8-bit 
displacements are automatically sign- 
extended to 16 bits. The six addressing modes 
are described and demonstrated in the 
following section on memory addressing 
modes. | 
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2.4.3.3 MEMORY MODE 


Two modes are used for simple scalar 
operands located in memory: 


Direct Address Mode. The offset of the 
operand is contained in the instruction as 


the displacement element. The offset is a 


16-bit quantity. 


Register Indirect Mode. The offset of the 
operand is in one of the registers SI, DI, 
or BX. (BP is excluded; if BP is used as 
a stack frame base, it requires an index 
or displacement component to reference 
either parameters passed on the stack or 
temporary variables allocated on the 
stack. The instruction level bit encoding 
for the BP only address mode is used to 


specify Direct Address mode. See 


Chapter 12 for more details. ) 


The following four modes are used for 
accessing complex data structures in 
memory (see figure 2-13): | 


Based Mode. The operand is located 
within the selected segment at an offset 


computed as the sum of the displacement 


and the contents of a base register (BX 
or BP). Based mode is often used to 
access the same field in different copies 
of a structure (often called a record). The 
base register points to the base of the 
structure (hence the term “‘base”’ regis- 
ter), and the displacement selects a 
particular field. Corresponding fields 
within a collection of structures can be 
accessed simply by changing the base 
register. (See figure 2-13, example 1. ) 


Indexed Mode.. The operand is located 


within the selected segment at an offset 


computed as the sum of the displacement 
and the contents of an index register (SI 
or DI). Indexed mode is often used to 
access elements in a static array (e.g., an 


array whose starting location is fixed at — 
translation time). The displacement . 
locates the beginning of the array, and the 
value of the index register selects one 
element. Since all array elements are the 
same length, simple arithmetic on the 
index register will select any element. 
(See figure 2-13, example 2.) 


Based Indexed Mode. The operand is 
located within the selected segment at an - 
offset computed as the sum of the base 
register’s contents and an index register’s 
contents. Based Indexed mode is often 
used to access elements of a dynamic 
array (i.e., an array whose base address 


can change during execution). The base 


register points to the base of the array, 

and the value of the index register is used 

to select one element. (See figure 2-13, 
example 3.) | 


Based Indexed Mode with Displacement. 
The operand is located with the selected 
segment at an offset computed as the sum 
of a base register’s contents, an index 
register’s contents, and the displacement. 
This mode is often used to access 
elements of an array within a structure. 
For example, the structure could be an 
activation record (i.e., a region of the 
stack containing the register contents, 
parameters, and variables associated with 
one instance of a procedure); and one 
variable could be an array. The base 
register points to the start of the activa- 
tion record, the displacement expresses 
the distance from the start of the record 
to the beginning of the array variable, and 
the index register selects a particular 
element of the array. (See figure 2-13, 


~ example 4.) 


Table 2-3 gives a summary of all memory 
operand addressing options. 
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1. BASED MODE 


MOV AX, [BP + DATE_CODE] 
ADD [BX + BALANCE], CX 


OPERAND 


2. INDEXED MODE 


MOV ID [Si], DX rai) 
SUB BX, DATA_TBL [SI 
| OPERAND Ronny 
3. BASED INDEXED 
MOV Dx, [BP][D!] aes 
AND [BX + Si], 3FFH BASED 
. ARRAY 
4. BASED INDEXED MODE WITH DISPLACEMENT 
_ MOV Cx, [BP\[SI + CNT] ea cowed 
SHR [BX + DI + MASK] ; WY) yy 
Li. BASED 
OPERAND ARRAY ae het 
Y ARRAY 


Figure 2-13. Complex Addressing Modes 
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Table 2-3. Memory Operand Addressing Modes 


Addressing Mode Offset Calculation 


Direct 
Register Indirect 


Based 

Indexed 

Based Indexed 

Based Indexed + Displacement 


* The displacement can be a 0, 8 or 16-bit value. 


2.5 INPUT/OUTPUT 


The iAPX 286 allows input/output to be 
performed in either of two ways: by means of 
a separate I/O address space (using specific 
I/O instructions) or by means of memory- 
mapped I/O (using general-purpose operand 
manipulation instructions). 


2.5.1 I/O Address Space 


The iAPX 286 provides a separate I/O 


address space, distinct from physical memory, 
to address the input/output ports that are 
used for external devices. The I/O address 
space consists of 2'© (64K) individually 
addressable 8-bit ports. Any two consecutive 
-8-bit ports can be treated as a 16-bit port. 
Thus, the I/O address space can accommo- 
date up to 64K 8-bit ports or up to 32K 


16-bit ports. I/O port addresses 00F8H to 


OOFFH are reserved by Intel. 


The iAPX 286 can transfer either 8 or 16 bits 


at a time to a device located in the I/O space. | 
Like words in memory, 16-bit ports should be © 


aligned at even-numbered addresses so that 


the 16 bits will be transferred in a single 


access. An 8-bit port may be located at either 
an even or odd address. The internal registers 


Port Addresses | 


16-bit Displacement in the instruction 


- BX, Sl, DI 
_ (BX or BP) + Displacement* 


(Sl or DI) + Displacement* 
(BX or BP) + (SI or Dl) 
(BX or BP) + (SI or Dl) + Displacement” 


in a given peripheral controller device should 
be assigned addresses as shown below. 


The I/O instructions IN and OUT (described 
in section 3.11.3) are provided to move data 
between I/O ports and the AX (16-bit I/O) 


or AL (8-bit I/O) general registers. The block 
‘I/O instructions INS and OUTS (described 


in section 4.1) move blocks of data between 
I/O ports and memory space (as shown 
below). In Protected Mode, an operating 
system may prevent a program from execut- 
ing these I/O instructions. Otherwise, the 
function of the I/O instructions and the 
structure of the I/O space are identical for 


‘both modes of operation. 


INS es:byte ptr [dil], DX 
OUTS DX, byte ptr Csi] 


IN and OUT instructions address I /O with 


either a direct address to one of up.to 256 port 
addresses, or indirectly via the DX register to 
one of up to 64K port addresses. Block I/O 


uses the DX register to specify the I/O 


address and either SI or DI to designate the 
source or destination memory address. For 


each transfer, SI or DI are either incre- 


mented or decremented as specified by the 
direction bit in the flag word while DX is 
constant to select the I/O device. | 


Port Register Example — 
16-bit a ~  - avén word addresses OUT FE,AX 
8-bit; device on lower half even byte addresses | IN AL,FE 
of 16-bit data bus 
8-bit; device on upper half — odd byte addresses OUT FF,AL 


of 16-bit data bus 
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2.5.2 Memory-Mapped I/O 


I/O devices also may be placed in the iAPX 
286 memory address space. So long as the 
devices respond like memory components, 
they are indistinguishable to the processor. 


Memory-mapped I/O provides additional 
programming flexibility. Any instruction that 
references memory may be used to access an 
I/O port located in the memory space. For 
example, the MOV instruction can transfer 
data between any register and a port; and the 
AND, OR, and TEST instructions may be 
used to manipulate bits in the internal regis- 
ters of a device (see figure 2-14). Memory- 
mapped I/O performed via the full instruc- 
tion set maintains the full complement of 
addressing modes for selecting the desired 
I/O device. 


Memory-mapped I/O, like any other memory 
reference, is subject to access protection and 
control when executing in protected mode. 


2.6 INTERRUPTS AND EXCEPTIONS 


The iAPX 286 architecture supports several 
mechanisms for interrupting program execu- 


MEMORY 
ADDRESS SPACE 


tion. Internal interrupts are synchronous 
events that are the responses of the CPU to 
certain events detected during the execution 
of an instruction. External interrupts are 
asynchronous events typically triggered by 
external devices needing attention. The iAPX 
286 supports both maskable (controlled by the 
IF flag) and non-maskable interrupts. They 
cause the processor to temporarily suspend its 
present program execution in order to service 
the requesting device. The major distinction 
between these two kinds of interrupts is their 
origin: an internal interrupt is always repro- 
ducible by re-executing with the program. and 
data that caused the interrupt, whereas an 
external interrupt is generally independent of 
the currently executing task. — 


Interrupts 0-31 are reserved by Intel. 


Application programmers will normally not be 
concerned with servicing external interrupts. 
More information on external interrupts for 
system programmers may be found in Chapter 
5, section 5.2, “Interrupt Handling for Real 
Address Mode,” and in Chapter 9, “Inter- 
rupts, Traps and Faults for Protected Virtual 
Address Mode.” 


! O DEVICE 1 


INTERNAL REGISTER 


| O DEVICE 2 


INTERNAL REGISTER 


Figure 2-14. Memory-Mapped 1/O 
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Table 2-4. iAPX 286 Interrupt Vector Assignments (Real Address Mode) 


Return Address 
Before Instruction 
Causing Exception? 


Related 
Instructions 


Interupt 
Number 


Yes 
Any undefined . Yes 
opcode | 


Processor extension segment overrun 
interrupt -' 


ESC with memory 
operand extending 
beyond offset 

FFFF(H) 


Word memory 
reference with 
offset = FFFF(H) or 
an attempt to 
execute past the 
end of a segment 


Processor extension error interrupt: 16 


In Real Address Mode, the application result of executing an instruction which causes 
programmer is affected by two kinds of inter- —_—_—sithe interrupt.) One type of interrupt is called 
nal interrupts. (Internal interrupts are the = anexception because the interrupt only occurs 
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if a particular fault condition exists. The other 
type of interrupt generates the interrupt every 
time the instruction is executed. 


The exceptions are: divide error, INTO 
detected overflow, bounds check, segment 
overrun, invalid operation code, and proces- 
sor extension error (see table 2-4). A divide 
error exception results when the instructions 
DIV or IDIV are executed with a zero 
denominator; otherwise, the quotient will be 
too large for the destination operand (see 
section 3.3.4 for a discussion of DIV and 
IDIV). An overflow exception results when 
the INTO instruction is executed and the OF 
flag is set (after an arithmetic operation that 
set the overflow (OF) flag). (See section 3.6.3, 
“Software Generated Interrupts,” for a 
discussion of INTO.) A bounds check excep- 
tion results when the BOUND instruction 1s 
executed and the array index it checks falls 
outside the bounds of the array. (See section 
4.2 for a discussion of the BOUND instruc- 
tion.) The segment overrun exception occurs 
when a word memory reference is attempted 
which extends beyond the end of a segment. 
An invalid operation code exception occurs if 
an attempt is made to execute an undefined 
instruction operation code. A processor 


iAPX 86 
iAPX 88 


iAPX 186 


iAPX 286 


extension error is generated when a processor 
extension detects an illegal operation. Refer 
to Chapter 5 for a more complete description 
of these exception conditions. 


The instruction INT generates an internal 
interrupt whenever it is executed. The effects 
of this interrupt (and the effects of all inter- 
rupts) is determined by the interrupt handler 
routines provided by the application program 
or as part of the system software (provided 
by system programmers). See Chapter 5 for 
more on this topic. The INT instruction itself 
is discussed in section 3.6.3. 


In Protected Mode, many more fault condi- 
tions are detected and result in internal inter- 
rupts. Protected Mode interrupts and faults 
are discussed in Chapter 10. 


2.f HIERARCHY OF INSTRUCTION SETS 


For descriptive purposes, the iAPX 286 
instruction set is partitioned into three distinct 
subsets: the Basic Instruction Set, the 
Extended Instruction Set, and the System 
Control Instruction Set. The “hierarchy” of 
instruction sets defined by this partitioning 
helps to clarify the relationships between the 
various processors in the iAPX 86 family (see 
figure 2-15). 


BASIC INSTRUCTION SET 
EXTENDED INSTRUCTION SET 


SYSTEM CONTROL INSTRUCTION SET 


Figure 2-15. Hierachy of Instructions 
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The Basic Instruction Set, presented in 


Chapter 3, comprises the common subset of | 


instructions found on all processors of the 
iAPX 86 family. Included are instructions for 
logical and arithmetic operations, data 
movement, input/output, string manipula- 
tion, and transfer of control. 


The Extended Instruction Set, presented in 
Chapter 4, consists of those instructions found 
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only on the iAPX 186 and iAPX 286 proces- 
sors. Included are instructions for block. 
structured procedure entry and exit, parame- 
ter validation, and block I/O transfers. 


The System Control Instruction Set, 
presented in Chapter 10, consists of those 
instructions unique to the iAPX 286. These 
instructions control the memory management 
and protection mechanisms of the iAPX 286. 


Basic Instruction Set 


CHAPTER 3 
BASIC INSTRUCTION SET 


The base architecture of the iAPX 286 is 
identical to the complete instruction set of the 
iAPX 86, 88, and 186 processors. The iAPX 
286 instruction set includes new forms of some 
instructions. These new forms reduce program 
size and improve the performance and ease of 
implementation of source coce. 


This chapter describes the instructions which 
programmers can use to write application 
software for the iAPX 286. The following 
chapters describe the operation of more 
complicated I/O and system _ control 
instructions. 


All instructions described in this chapter are 
available for both Real Address Mode and 
Protected Virtual Address Mode operation. 
The instruction descriptions note any differ- 
ences that exist between the operation of an 
instruction in these two modes. 


This chapter also describes the operation of | 


each application program-relative instruction 
and includes an example of using the instruc- 
tion. The Instruction Dictionary in Appendix 
B contains formal descriptions of all instruc- 


tions. Any opcode pattern that is not described | 


in the Instruction Dictionary is undefined 
and results in an opcode violation trap 
(interrupt 6). 


3.1 DATA MOVEMENT INSTRUCTIONS 


These instructions provide convenient methods 
for moving bytes or words of data between 
memory and the registers of the base 
architecture. 


3.1.1 General-Purpose Data Movement 
Instructions 


MOV (Move) transfers a byte or a word from 


the source operand to the destination operand. — 
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| Example: 


The MOV instruction is useful for transfer- 
ring data to a register from memory, to 
memory from a register, between registers, 
immediate-to-register, or immediate-to- 
memory. Memory-to-memory or segment 
register-to-segment register moves are not 
allowed. 


Example: MOV DS,AX 


Replaces the contents of register 
DS with the contents of register 
AX. 7 


XCHG (Exchange) swaps the contents of two 
operands. This instruction takes the place of 
three MOV instructions. It does not require a 


temporary memory location to save the 


contents of one operand while you load the 


other. 


The XCHG instruction can swap two byte 
operands or two word operands, but not a byte 
for a word or a word for a byte. The operands 
for the XCHG instruction may be two regis- 
ter operands, or a register operand with a 
memory operand. When used with a memory 
operand, XCHG automatically activates the 
LOCK signal. 


XCHG BX,WORDOPRND 


Swaps the contents of register BX 
with the contents of the memory 
word identified by the label 
WORDOPRND after asserting 
bus lock. : 


3.1.2 Stack Manipulation Instructions 


PUSH (Push) decrements the stack pointer 


(SP) by two and then transfers a word from 
the source operand to the top of stack 
indicated by SP. See figure 3-1. PUSH is 
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often used to place parameters on the stack _ Example: PUSH WORDOPRND 

before calling a procedure; it is also the basic Transfers a 16-bit value from the 
means of storing temporary variables on the memory word identified by the 
stack. The PUSH instruction operates on | label WORDOPRND to the 
memory operands, immediate operands (new memory location which repre- 
with the iAPX 286), and register operands sents the current top of stack 
(including segment registers). =. & (byte transfers are not allowed). 


HIGH ADDRESS 


NAN ANANSI SNAN SANS 


NAS NSA NNSNNSAAININN RRO SND ss LIMIT 
he 


N NN ANNAN 
NNN NASSSA AS SS 


OPERANDS FROM XN RAN NASNANAN AN ANS 
' PREVIOUS PUSH 


nS reueonS “SP ALWAYS POINTS TO 


««—— THE LAST WORD PUSHED 
ONTO THE STACK (TOS). 


‘SS ALWAYS POINTS TO 
LOWEST ADDRESS USED BY 
THE STACK 


LOW ADDRESS 


BEFORE AFTER 
PUSH OPERAND PUSH OPERAND 


PUSH decrements SP by 2 bytes and places the operand in the stack at the location to which SP points. 


Figure 3-1. PUSH 
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PUSHA (Push All Registers) saves the 
contents of the eight general registers on the 
stack. See figure 3-2. This instruction simpli- 
fies procedure calls by reducing the number 
of instructions required to retain the contents 
of the general registers for use in a proce- 
dure. PUSHA is complemented by POPA 
(see below). 


HIGH ADDRESS 


OPERANDS FROM 
PREVIOUS PUSH 


INSTRUCTIONS 
; ie 


LOW ADDRESS 


BEFORE 
PUSHA 


PUSHA copies the contents of the eight general registers to the stack in th 


(8 words) to point to the last word pushed on the stack. 


4 
74 
Z 
7 
a0Gs 
i, 
04 y 
4 
i, 
ee 
Vs 
VWs, 7 
“tf 7 
4OUTL Yt 
we V7, tft, 
Z aA “7 
L607 af 
C4ttL 4 
as aA 4 
Ty, Z 
4 / 4 


The processor pushes the general registers on 
the stack in the following order: AX, CX, DX, 
BX, the initial value of SP before AX was 
pushed, BP, SI, and DI. 


Example: PUSHA 


Pushes onto the stack the contents. 
of the eight general registers.. 


SS LIMIT 


e above order. The instruction decrements SP by 16 bytes 


Figure 3-2. PUSHA 
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POP (Pop) transfers the word at the current Example: POP BX 
top of stack (indicated by SP) to the desti- 
nation operand, and then increments SP by 
two to point to the new top of stack. See 
figure 3-3. POP moves information from the 


Replaces the contents of register 
BX with the contents of the 
memory location at the top of 


k. 
stack to either a register or memory. The only sh 
restriction on POP is that it cannot place a POPA. (Pop All Registers) restores the 
value inregisterCS. > registers saved on the stack by PUSHA, 


HIGH ADDRESS 
SS LIMIT 


SAAS ARAAys“w“yy 
NN ANS SANS NAAN ARNIS 


OPERANDS FROM SS SSS . 
PREVIOUS PUSH - — 
INSTRUCTIONS 


SP 


LOW ADDRESS 


BEFORE AFTER 
POP OPERAND POP OPERAND 


POP copies the contents of the stack location before SP to the operand in the instruction. POP then increments SP by 2 bytes (1 word). 


Figure 3-3. POP 
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except that it ignores the value of SP. See 
figure 3-4. 


Example: POPA 


Pops from the stack the saved 
contents of the general registers, 
and restores the registers (except 
SP) to their original state. 


3.2 FLAG OPERATION WITH THE BASIC 
INSTRUCTION SET 


3.2.1 Status Flags 


The status flags of the FLAGS register reflect 
conditions that result from a previous 


HIGH ADDRESS 


MASS NSN ARAN ANS NAN ASN 
RN sANS Ra ANS NAN NANAN 


OPERANDS FROM < SVrxv7“ 
PREVIOUS PUSH 
INSTRUCTIONS 


LOW ADDRESS 


BEFORE 
POPA 


— 3 
RSASSAN SS NNN ANAN TRESS SSS 


instruction or instructions. The arithmetic 
instructions use OF, SF, ZF, AF, PF, and CF. 


The SCAS (Scan String), CMPS (Compare 
String), and LOOP instructions use ZF to 
signal that their operations are complete. The 
base architecture includes instructions to set, 
clear, and complement CF before execution 
of an arithmetic instruction. See figure 3-5 
and tables 3-1 and 3-2. 


3.2.2 Control Flags 


The control flags of the FLAGS register 
determine processor operations for string 
instructions, maskable interrupts, and 
debugging. 


SS LIMIT 


POPA copies the contents of seven stack locations to the corresponding general registers. POPA discards the stored value of SP. 


Figure 3-4. POPA 


' 3-5 


BASIC INSTRUCTION SET 


STATUS FLAGS: © 
CARRY 
PARITY 

AUXILIARY CARRY - 
om ZERO 
SIGN 


OVERFLOW ——— , 
15 14 11 


CONTROL FLAGS: 
TRAP FLAG 
INTERRUPT ENABLE 
DIRECTION FLAG 


SPECIAL FIELDS: 
1/O PRIVILEGE LEVEL 
NESTED TASK FLAG 


Figure 3-5. Flag Word Contents 


Setting DF (direction flag) causes string 
instructions to auto-decrement; that is, to 
process strings from high addresses to low 
addresses, or from “right-to-left.” Clearing 
DF causes string instructions to auto-incre- 


ment, or to process strings from ‘“‘left-to- 


right.” 


Setting IF (interrupt flag) allows the CPU to 
recognize external (maskable) interrupt 


requests. Clearing IF disables these inter- 
rupts. IF has no effect on either internally — 


generated interrupts, nonmaskable external 
interrupts, or processor extension segment 
overrun interrupts. 


Setting TF (trap flag) puts the processor into 


single-step mode for debugging. In this mode, | 
the CPU automatically generates an internal 


interrupt after each instruction, allowing a 


program to be inspected as it executes each 
instruction, instruction by instruction. 


3.3 ARITHMETIC INSTRUCTIONS 


The arithmetic instructions of the iAPX 86- 
family processors simplify the manipulation 
of numerical data. Multiplication and division 
instructions ease the handling of signed and 


- unsigned binary integers as well as unpacked 
decimal integers. 


An arithmetic operation may consist of two 
register operands, a general register source 
operand with a memory destination operand, 
a memory source operand with a register 
destination operand, or an immediate field 
with either a register or memory destination 
operand, but not two memory operands. 
Arithmetic instructions can operate on either 
byte or word operands. 
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Table 3-1. Status Flags’ Functions 


Bit 
Position 


Carry Flag—Set on high-order bit 
carry or borrow; cleared other- 


Parity Flag—Set if low-order 
eight bits of result contain an 
even number of 1 bits; cleared 
otherwise 


Set on carry from or borrow to 
the low order four bits of AL; 
cleared otherwise 


Zero Flag—Set if result is zero; 
cleared otherwise 


Sign Flag—Set equal to high- 
order bit of result (0 if positive, 1 
if negative) 


Overflow Flag—Set if result is 
too-large a positive number or 
too-small a negative number 
(excluding sign-bit) to fit in 
destination operand; cleared 
otherwise 


Trap (Single Step) Flag—Once 
set, a single step interrupt occurs 
after the next instruction 
executes. TF is cleared by the 
single step interrupt. 


Interrupt-enable Flag—When set, 
maskable interrupts will cause the 
| CPU to transfer control to an 


interrupt vector-specified 


location. 


Direction Flag—Causes string 
instructions to auto decrement 
the appropriate index registers 
when set. Clearing DF causes 
auto increment. 


3.3.1 Addition Instructions 

ADD (Add Integers) replaces the destination 
operand with the sum of the source and desti- 
nation operands. ADD affects OF, SF, AF, 
PF, CF, and ZF. 


Example: ADD BL, BYTEOPRND 


Adds the contents of the memory 
byte labeled BY TEOPRND to 
the contents of BL, and replaces 
BL with the resulting sum. 


ADC (Add Integers with Carry) sums the 
operands, adds one if CF is set, and replaces 
the destination operand with the result. ADC 
can be used to add numbers longer than 16 
bits. ADC affects OF, SF, AF, PF, CF, 
and ZF. 


Example: ADC BX, CX 


Replaces the contents of the 
destination operand BX with the 
sum of BX, CS, and 1 (if CF is 
set). If CF is cleared, ADC 
performs the same operation as 
the ADD instruction. 


INC (Increment) adds one to the destination 
operand. The processor treats the operand as 
an unsigned binary number. INC updates AF, 
OF, PF, SF, and ZF, but it does not affect 
CF. Use ADD with an immediate value of 1 
if an increment that updates carry (CF) is 
needed. | 


INC BL 
Adds 1 to the contents of BL. 


Example: 


3.3.2. Subtraction Instructions 


SUB (Subtract Integers) subtracts the source 
operand from the destination operand and 
replaces the destination operand with the 
result. If a borrow. is required, carry flag 1s 
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set. The operands may be signed or unsigned 


bytes or words. SUB affects OF, SF, ZF, AF, 
PF, and CF. | 


Example: SUB WORDOPRND, AX — 


Replaces the contents of the des- 


tination operand WORDOPRND 
with the result obtained by 
subtracting the contents of AX 
from the contents of the memory 
word labeled WORDOPRND. 


SBB (Subtract Integers with Borrow) 
subtracts the source operand from the desti- 
nation operand, subtracts 1 if CF is set, and 
returns the result to the destination operand. 


The operands may be signed or unsigned bytes. 


or words. SBB may be used to subtract 
numbers longer than 16 bits. This instruction 
affects OF, SF, ZF, AF, PF, and CF. The 
carry flag is set if a borrow is required. 


Example: SBB BL, 32 | 


Subtracts 32 from the contents of 
BL and then decrements the 
result of this subtraction by one if 
CF is set. If CF is cleared, SBB 

performs the same _ operation 
as SUB. 


DEC (Decrement) subtracts 1 from the desti- 
nation operand. DEC updates AF, OF, PF, 
SF, and ZF, but it does not affect CF. Use 
SUB with an immediate value of 1 to perform 
a decrement that affects carry. = 


Example: DEC BX | 


Subtracts 1 from the contents of 
BX and places the result back 
in BX. 


3.3.3 Multiplication Instructions | 


MUL (Unsigned Integer Multiply) performs 


an unsigned multiplication of the source 
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Example: 


it to 


operand and the accumulator. If the source is 
a byte, the processor multiplies it by the 


contents of AL and returns the double- length 


result to AH and AL. 


If the source operand is a word, the processor 


multiplies it by the contents of AX and 


returns the double-length result to DX and 
AX. MUL sets CF and OF to indicate that 


the upper half of the result is nonzero; other- 


wise, they are cleared. This instruction leaves 
SF, ZF, AF, and PF undefined. Oo 


MUL Bx 


Replaces the contents of DX and. 
AX with the product of BX and 
AX. The low-order 16 bits of the 
result replace the contents of AX; 
the high-order word goes to DX. 
The processor sets CF and OF if 
- the unsigned result is greater than 
16 bits. 3 


IMUL (Signed Integer Multiply) performs a 


signed multiplication operation. IMUL uses 


AX and DX in the same way as the MUL 
instruction, except when used in the immedi- 


_ate form. 


The immediate form of IMUL allows the 


specification of a destination register other 
than the combination of DX and AX. In this 


case, the result cannot exceed 16 bits without 


causing an overflow. If the immediate operand 


is a byte, the processor automatically extends 
16 bits before. performing the 
multiplication. 


The immediate form of IMUL may also be 
used with unsigned operands because the low 


16 bits of a signed or unsigned multiplication 
| of two 16-bit vas will aay be the same. 


-IMUL clears CF and OF to indicate that the 


upper half of the result is the sign of the lower 
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half. This instruction leaves SF, ZF, AF, and 
PF undefined. 


Example: IMUL BL 


Replaces the contents of AX with 
the product of BL and AL. The 
processor sets CF and OF if the 
result is more than 8 bits long. 


Example: IMUL BX, SI, 5 


Replaces the contents of BX with 


the product of the contents of SI | 


and an immediate value of 5. The 
processor sets CF and OF if the 
signed result is longer than 
16 bits. 


3.3.4 Division Instructions 


DIV (Unsigned Integer Divide) performs an 
unsigned division of the accumulator by the 
source operand. If the source operand is a 
byte, it is divided into the double-length 
dividend assumed to be in registers AL and 
AH (AH = most significant byte; AL = 
least significant byte). The single-length 
quotient is returned in AL, and the single- 
length remainder is returned in AH. 


If the source operand is a word, it is divided 
into the double-length dividend in registers 
AX and DX. The single-length quotient is 
returned in AX, and the single-length 
remainder is returned in DX. Non-integral 
quotients are truncated to integers toward 0. 
The remainder is always less than the 
quotient. 


For unsigned byte division, the largest 
quotient is 255. For unsigned word division, 
the largest quotient is 65,535. DIV leaves OF, 
SF, ZF, AF, PF, and CF undefined. Inter- 
rupt (INT 0) occurs if the divisor is zero or 
if the quotient is too large for AL or AX. 
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DIV BX 


Replaces the contents of AX with 
the unsigned quotient of the 
doubleword value contained in 
DX and AX, divided by BX. The 
unsigned modulo replaces the 
contents of DX. 


Example: 


Example: DIV BL 


Replaces the contents of AL with 

the unsigned quotient of the word 
value in AX, divided by BL. The 
unsigned modulo replaces the 
contents of AH. 


IDIV (Signed Integer Divide) performs a 
signed division of the accumulator by the 
source operand. IDIV uses the same registers 
as the DIV instruction. 


For signed byte division, the maximum 
positive quotient is +127 and the minimum 
negative quotient is —128. For signed word 
division, the maximum positive quotient is 
+ 32,767 and the minimum negative quotient 
is —32,768. Non-integral results are 
truncated towards 0. The remainder will 
always have the same sign as the dividend and 
will be less than the divisor in magnitude. 
IDIV leaves OF, SF, ZF, AF, PF, and CF 
undefined. A division by zero causes an inter- 
rupt (INT 0) to occur if the divisor is 0 or if 
the quotient is too large for AL or AX. 


IDIV WORDOPRND 


Replaces the contents of AX with 
the signed quotient of the double- 
word value contained in DX and 
AX, divided by the value 
contained in the memory word 
labeled WORDOPRND. The 
signed modulo replaces the 
contents of DX. 


Example: 
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3.4 LOGICAL INSTRUCTIONS 


The group of logical instructions includes the 
Boolean operation instructions, rotate and 
shift instructions, type conversion instruc- 
tions, and the. no-operation (NOP) 
instruction. 


3.4.1 Boolean Operation Instructions 


Except for the NOT and NEG instructions, 
the Boolean operation instructions can use two 
register operands, a general purpose register 
operand with a memory operand, an immedi- 
ate operand with a general purpose register 
operand, or a memory operand. The NOT and 
NEG instructions are unary operations that 
use a single operand in a register or memory. 


AND (And) performs the logical ‘‘and” of the 
- operands (byte or word) and returns the result 
to the destination operand. AND clears OF 
and DF, leaves AF undefined, and updates 
SF, ZF, and PF. 

Example: AND WORDOPRND, BX 
Replaces the contents. of 
~WORDOPRND with the logical 
“and” of the contents of 
the memory word labeled 
WORDOPRND and the contents 
of BX. | 


_ NOT (Not) inverts the bits in the specified 
operand to form a one’s complement of the 
operand. NOT has no effect on the flags. 


Example: NOT BYTEOPRND 


Replaces the original contents of 
BYTEOPRND with the one’s 
complement of the contents of 

the memory word labeled 
BYTEOPRND. 
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OR (Or) performs the logical “inclusive or” 
of the two operands and returns the result to 
the destination operand. OR clears OF and 
DF, leaves AF undefined, and updates SF, 
ZF, and PF. 


carpe OR AL,5 


Replaces the original contents of 
AL with the logical “inclusive or” 
of the contents of AL and the 
immediate value 5. 


XOR (Exclusive OR) performs the logical 
“exclusive or” of the two operands and returns 
the result to the destination operand. XOR 
clears OF and DF, leaves AF undefined, and 
updates SF, ZF, and PF. 


Example: XOR DX, WORDOPRND 


Replaces the original contents of 
_ DX with the logical “exclusive or” 

or the contents of DX and the 

contents of the memory word 
~ labeled WORDOPRND. 


NEG (Negate) forms a two’s complement of 
a signed byte or word operand. The effect of 
NEG is to reverse the sign of the operand 
from positive to negative or from negative to 
positive. NEG updates OF, SF, ZF, AF, PF, 
and CF. 


Example: NEG AX 


Replaces the original contents of 
- AX with the two’s complement of 
the contents of AX. 


3.4.2 Shift and Rotate Instructions 


The shift and rotate instructions reposition the 
bits within the specified operand. The shift 
instructions provide a convenient way to 
accomplish division or multiplication by 
binary power. The rotate instructions are 
useful for bit testing. 
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3.4.2.1 SHIFT INSTRUCTIONS 


The bits in bytes and words may be shifted 
arithmetically or logically. Depending on the 
value of a specified count, up to 31 shifts may 
be performed. 


A shift instruction can specify the count in 
one of three ways. One form of shift instruc- 
tion implicitly specifies the count as a single 
shift. The second form specifies the count as 
an immediate value. The third form specifies 
the count as the value contained in CL. This 
last form allows the shift count to be a 
variable that the program supplies during 
execution. Only the low order 5 bits of CL 
are used. 


Shift instructions affect the flags as follows. 
AF is always undefined following a shift 
operation. PF, SF, and ZF are updated 
normally as in the logical instructions. 


CF always contains the value of the last bit 
shifted out of the destination operand. In a 
single-bit shift, OF is set if the value of the 
high-order (sign) bit was changed by the 
operation. Otherwise, OF is cleared. Follow- 
ing a multibit shift, however, the content of 
OF is always undefined. 


SAL (Shift Arithmetic Left) shifts the desti- 


nation byte or word operand left by one or by 


the number of bits specified in the count 


operand (an immediate value or the value 
contained in CL). The processor shifts zeros 
in from the right side of the operand as bits 
exit from the left side. See figure 3-6. 


Example: | SAL BL,2 


Shifts the contents of BL left by 
2 bits and replaces the two low- 
order bits with zeros. 


Example: SAL BL,1 


Shifts the contents of BL left by 
1 bit and replaces the low-order 
bit with a zero. Because the 
processor does not have to decode 
the immediate count operand to 
obtain the shift count, this form 
of the instruction takes 2 clock 
cycles-rather than the 6 clock 
cycles (5 cycles + 1 cycle for 
each bit shifted) required by the 
previous example. 


SAL (Shift Logical Left) is physically the 
same instruction as SAL (see SAL above). 


SHR (Shift Logical Right) shifts the desti- 
nation byte or word operand right by one or 


by the number of bits specified in the count 


operand (an immediate value or the value 


contained in CL). The processor shifts zeros 


in from the left side of the operand as bits 
exit from the right side. See figure 3-7. 


' BEFORE 
ene eee Ee EES 
SHL 


SAL OR 
[> ] sTt*l*]:lelelol*]* 1+) 1°]o]*]*]°] we 
1 BIT 


AFTER 


AFTER 
a a oN NR CD EDD sar 
SHL BY 
8 BITS 


OPERAND 


Both SAL and SHL shift the bits in the register or memory operand to the left by the specified number of bit positions. CF receives the 
last bit shifted out of the left of the operand. SAL and SHL shift in zeros to fill the vacated bit locations. These instructions eperare:’ on 
byte operands as well as word operands. 


Figure 3-6. SAL and SHL 
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Example. SHR BYTEOPRND, CL | preserves the sign of the operand by shifting 
in zeros on the left side if the value is positive 
or by shifting by ones if the value is negative. 
See figure 3-8. 


_ Shifts the contents of the memory 
byte labeled BYTEOPRND right 
by the number of bits specified in 
CL, and pads the left side of 


BYTEOPRND with an equal Example: SAR WORDPRND,1 
number of zeros. 


Shifts the contents of the memory 


SAR (Shift Arithmetic Right) shifts the - byte labeled WORDPRND right 
destination byte or word operand to the right by one, and replaces the high- 
by one or by the number of bits specified in order sign bit with a value equal 
the count operand (an immediate value or the | to the original sign’ of 


value contained in CL). The processor WORDPRND. 


LJ PEE EEEDE EEE EEE CG) 
AFTER 
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OPERAND 


SHR shifts the bits in the register. or memory operand to the right by the specified number of bit positions. CF receives the last bit shifted 
out of the right of the operand. SHR shifts in zeros to fill the vacated bit locations. This instruction operates on byte operands as well as 
word eneranes: 


Figure 3-7. SHR 
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SAR preserves the sign of the register or memory operand as it shifts the ‘oparand: to the right the specified dal l of bit positions. CF 
receives the last bit shifted out of the right of the operand. This instruction also operates on byte “Speranes: 


Figure 3-8. SAR 
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3.4.2.2 ROTATE INSTRUCTIONS 


Rotate instructions allow bits in bytes and 
words to be rotated. Bits rotated out of an 
operand are not lost as in a shift, but are 
“circled” back into the other “end” of the 
operand. 


Rotates affect only the carry and overflow 
flags. CF may act as an extension of the 
operand in two of the rotate instructions, 
allowing a bit to be isolated and then tested 
by a conditional jump instruction (JC or 
JNC). CF always contains the value of the 
last bit rotated out, even if the instruction does 
not use this bit as an extension of the rotated 
operand. 


In single-bit rotates, OF is set if the operation 
changes the high-order (sign) bit of the desti- 
nation operand. If the sign bit retains its 


ears 


original value, OF is cleared. On multibit 
rotates, the value of OF is always undefined. 


ROL (Rotate Left) rotates the byte or word 
destination operand left by one or by the 
number of bits specified in the count operand 
(an immediate value or the value contained 
in CL). For each rotation specified, the high- 
order bit that exists from the left of the 
operand returns at the right to become the 
new low-order bit of the operand. See 
figure 3-9, | 


Example: ROL AL, 8 


Rotates the contents of AL left by 
8 bits. This rotate instruction 
returns AL to its original state but 
isolates the low-order bit in CF 
for testing by a JC or JNC 
instruction. 
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OPERAND 


ROL shifts the bits in the memory or register operand to the left by the specified number of bit positions. It copies the bit shifted out of 
the left of the operand into the right of the operand. The last bit shifted into the least significant bit of the operand also appears in CF. 


This instruction also operates on byte operands. 


Figure 3-9. ROL 
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ROR (Rotate Right) rotates the byte or word 
destination operand right by one or by the 
number of bits specified in the count operand 
_ (an immediate value or the value contained 
in CL). For each rotation specified, the low- 
order bit that exits from the right of the 
operand returns at the left to become the new 
high-order bit of the operand. See 
figure 3-10. 


Example: 


ROR WORDOPRND, CL 


Rotates the contents’ of 
the memory word labeled 


~WORDOPRND by the number. 


of bits specified. by the value 
contained in CL. CF reflects the 
value of the last bit rotated from 
the right to the left side of the 


operand. 


BEFORE ROR 


AFTER ROR BY 1 BIT 


<< AFTER ROR BY 8 BITS 


OPERAND 


ROR shifts the bits in the’ memory or register operand to the right by the specified number of bit positions. It copies each bit shifted out 
of the right of the operand into the left of the operand. The last bit shifted into. the most significant bit of the operand also appears in 


CF. This instruction also operates on byte operands. 


Figure 3-10. ROR 
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RCL (Rotate Through Carry Left) rotates bits as the low-order bit on the next rotation cycle. 
in the byte or word destination operand left — See figure 3-11. 

by one or by the number of bits specified in | 

the count operand (an immediate value or the Example: RCL BX,1 


value contained in CL). Rotates the contents of BX left by 


. one bit. The high-order bit of the 
This instruction differs from ROL in that it operand moves to CF, the 


treats CF as a high-order 1-bit extension of remaining 15 bits move left one 
the destination operand. Each high-order bit position, and the original value of 
that exits from the left side of the operand CF becomes the new low-order 
moves to CF before it returns to the operand bit. 


eee ae ee ee ee 


BEFORE RCL 


| AFTER RCL BY 1 BIT | 


ie i Ee a ee 


AFTER RCL BY 16 BITS 
OPERAND 


RCL rotates the bits in the memory or register operand to the left in the same way as ROL except that RCL treats CF as a 1-bit extension 
of the operand. Note that a 16-bit RCL produces the same result as a 1-bit RCR (though it takes much longer to execute). This instruction 
also operates on roue operands. 


Figure 3-11. RCL 
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RCR (Rotate Through Carry Right) rotates high-order bit on the next rotation cycle. See 
bits in the byte or word destination operand figure 3-12.. 7 Bar, 2 Rae 
right by one or by the number of bits speci- as 
fied in the count operand (an immediate value Example: RCR BYTEOP RND, 3 : 
or the value contained in CL). Rotates the contents of ‘the 
| a ae memory byte labeled 
, : BYTEOPRND to the right by 3 
This instruction differs from ROR in that it | bits. Following the execution of 
treats CF as a low-order 1-bit extension of the vm this instruction, CF reflects the 
destination operand. Each low-order bit that original value of bit number 5 of 
exits from the right side of the operand moves a” ~BYTEOPRND, and the original 
to CF before it returns to the operand as the 7 value of CF becomes bit 2. 


5) EH ARN EB SC 


BEFORE RCR 


AFTER RCR BY 1 BIT 


AFTER RCR BY 3 BITS 


OPERAND 


RCR rotates the bits inthe memory or register operand to the bral in the same way as 5 ROR bee that BCH ireats CF as a. ae ‘bit eRension 
of the operand. This instruction also operates on byte operands. .— 


Figure 3-12. RCR 
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3.4.3 Type Conversion and No-Operation 
Instructions 

The type conversion instructions prepare 

operands for division. The NOP instruction is 

a 1-byte filler instruction with no effect on 

registers or flags. 


CWD (Convert Word to Double-Word) 
extends the sign of the word in register AX 
throughout register DX. CWD does not affect 
any flags. CWD can be used to produce a 
double-length (double-word) dividend from a 
word before a word division. 


CBW (Convert Byte to Word) extends the sign 
of the byte in register AL throughout AX. 
CBW does not affect any flags. 


CWD 


Sign-extends the 16-bit value in 
AX to a 32-bit value in DX and 
AX with the high-order 16-bits 
occupying DX. 


Example: 


NOP (No Operation) occupies a byte of 
storage but affects nothing but the instruc- 
tion pointer, IP. The amount of time that a 
NOP instruction requires for execution varies 
in proportion to the CPU clocking rate. This 
variation makes it inadvisable to use NOP 
instructions in the construction of timing loops 
because the operation of such a program will 
not be independent of the system hardware 
configuration. 


NOP 


_ The processor performs no opera- 
tion for 2 clock cycles. 


_ Example: 


3.5 TEST AND COMPARE INSTRUCTIONS 


The test and compare instructions are similar 
in that they do not alter their operands. 
Instead, these instructions perform opera- 
tions that only set the appropriate flags to 
indicate the relationship between the two 
operands. 
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TEST (Test) performs the logical ‘‘and” of 
the two operands, clears OF and DF, leaves. 
AF undefined, and updates SF, ZF, and PF. 
The difference between TEST and AND is 
that TEST does not alter the destination 
operand. | 


Example: TEST BL,32 


Performs a logical “and” and sets 
SF, ZF, and PF according to the 
results of this operation. The 
contents of BL remain 
unchanged. 


CMP (Compare) subtracts the source operand 
from the destination operand. It updates OF, 
SF, ZF, AF, PF, and CF but does not alter 
the source and destination operands. A subse- 
quent signed or unsigned conditional transfer 
instruction can test the result using the 
appropriate flag result. 


CMP can compare two register operands, a 
register operand and a memory operand, a 
register operand and an immediate operand, 
or an immediate operand and a memory 
operand. The operands may be words or bytes, 
but CMP cannot compare a byte with a word. 


Example: CMP BX,32 


Subtracts the immediate operand, 
32, from the contents of BX and 
sets OF, SF, ZF, AF, PF, and CF 
to reflect the result. The contents 
of BX remain unchanged. 


3.6 CONTROL TRANSFER INSTRUCTIONS 


The iAPX 286 provides both conditional and 
unconditional program transfer instructions to 
direct the flow of execution. Conditional 
program transfers depend on the results of 
operations that affect the flag register. 
Unconditional program transfers are always 
executed. 
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3.6.1 Unconditional Transfer Instructions 


JMP, CALL, RET, INT and IRET instruc- 
tions transfer control from one code segment 
location to another. These locations can be 
within the same code segment or in different 
code segments. 


- 3.6.1.1 JUMP INSTRUCTION 


JMP (Jump) unconditionally transfers control 
to the target location. JMP is a one-way 
transfer of execution; it does not save a return 
address on the stack. 


The JMP instruction always performs the 
same basic function of transferring control 
from the current location to a. new location. 
Its implementation varies depending on the 
- following factors: 


@ = Is the address specified directly within the 
instruction or indirectly through a regis- 
ter or memory? 


@ Is the target location inside or outside the 
current code segment selected in CS? 


A direct JMP instruction includes the desti- 
nation address as part of the instruction. An 
indirect JMP instruction obtains the destina- 
tion address indirectly through a register or a 
pointer variable. 


Control transfers through a gate or to a task 
state segment are available only in Protected 
Mode operation of the iAPX 286. The formats 
of the instructions that transfer control 
through a call gate, a task gate, or to a task 
state segment are the same. The label 
included in the instruction selects one of these 
three paths to a new code segment. 


Direct JMP within the current code segment. 
A direct JMP that transfers control to a target 
location within the current code segment uses 
a relative displacement value contained in the 
instruction. This can be either a 16-bit value 
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or an 8-bit value sign extended to 16 bits. The 
processor forms an effective address by adding 
this relative displacement to the address 
contained in IP. IP refers to the next instruc- 
tion when the additions are performed. 


Example: JMP NEAR_NEWCODE 
Transfers control to — the 
target location labeled 


NEAR_NEWCODE, which is 
within the code segment currently 
selected in CS. 


Indirect JMP within the current code 
segment. Indirect JMP instructions that 
transfer control to a location within the 
current code segment specify an absolute 
address in one of several ways. First, the 
program can JMP to a location specified by 
a 16-bit register (any of AX, DX, CX, BX, 
BP, SI, or DI). The processor moves this 16- 
bit value into IP and resumes execution. 


Example: JMP SI 


Transfers control to the target 
address formed by adding the 16- 
bit value contained in SI to the 
base address contained in CS. 


The processor can also obtain the destination 
address within a current segment from a 
memory word operand specified in the 
instruction. 


Example: JMP PTR_X 


Transfers control to the target 
address formed by adding the 16- 
bit value contained in the memory 
word labeled PTR X to the base 
address contained in CS. 


A register can modify the address of the 
memory word pointer to select a destination 
address. 
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JMP CASE_TABLE [BX] 


CASE_TABLE is the first word 
in an array of word pointers. The 
value of BX determines which 
pointer the program selects from 
the array. The JMP instruction 
then transfers control to the 
location specified by the selected 
pointer. 


Example: 


Direct JMP outside of the current code 
segment. Direct JMP instructions that specify 
a target location outside the current code 
segment contain a full 32-bit pointer. This 
pointer consists of a selector for the new code 
segment and an offset within the new 
segment. 


Example: JMP FAR_NEWCODE_FOO 


Places the selector contained in 
the instruction into CS and the 
offset into IP. The program 
resumes execution at this location 
in the new code segment. 


Indirect JMP outside of the current code 
segment. Indirect JMP instructions that 
specify a target location outside the current 
code segment use a double-word variable to 
specify the pointer. : 


JMP NEWCODE 


NEWCODE the first word of two 
consecutive words in memory 
which represent the new pointer. 
NEWCODE contains the new 
offset for IP and the word follow- 
ing NEWCODE contains the 
selector for CS. The program 
resumes execution at this location 
in the new code segment. 
(Protected mode programs treat 


Example: 
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this differently. See Chapters 6 
and 7). 


Direct JMP outside of the current code 
segment to a call gate. If the selector included 
with the instruction refers to a call gate, then 
the processor ignores the offset in the instruc- 
tion and takes the pointer of the routine being 
entered from the call gate. 


JMP outside of current code segment may 
only go to the same level. 


Example: JMP CALL_GATE_FOO 


The selector in the instruction 
refers to the call. gate 
CALL_GATE_FOO, and the call 
gate actually provides the new 
contents of CS and IP to specify 
the address of the next 
instructions. 


Indirect JMP outside the current code 
segment to a call gate. If the selector speci- 
fied by the instruction refers to a call gate, 
the processor ignores the offset in the double- 
word and takes the address of the routine 
being entered from the call gate. The JMP 
instruction uses the same format to indirectly 
specify a task gate or a task state segment. 


Example: JMP CASE_TABLE [BX] 


The instruction refers to the 
double-word in the array of 
pointers called CASE_TABLE. 
The specific double-word chosen 
depends on the value in BX when 
the instruction executes. The 
selector portion of this double- 
word selects a call gate, and the 
processor takes the address of the 
routine being entered from the 
call gate. 
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3.6.1.2 CALL INSTRUCTION 


CALL (Call Procedure) activates an out-of- 
line procedure, saving on the stack the address 
of the instruction following the CALL for 
later use by a RET (Return) instruction. An 
intrasegment CALL places the current value 
of IP on the stack. An intersegment CALL 
places both the value of IP and CS on the 
stack. The RET instruction in the called 
procedure uses this address to transfer control 
back to the calling program. 


A long CALL instruction that invokes a task- 
switch stores the outgoing task’s task state 
segment selector in the incoming task state 
segment’s link field and sets the nested task 
flag in the new task. In this case, the IRET 
instruction takes the place of the RET 
instruction to return control to the nested task. 


Examples: 


CALL NEAR_NEWCODE 
CALL SI 

CALL PTR_X 

CALL CASE_TABLE [BP] — 
CALL FAR_NEWCODE_FOO 
CALL NEWCODE | 

CALL CALL_GATE_FOO 
CALL CASE_TABLE [BX] 


See the previous treatment of JMP for a 


discussion of the operations of these 


instructions. 


3.6.1.3 RETURN AND RETURN FROM INTERRUPT 
INSTRUCTION 


RET (Return From Procedure) terminates the 
execution of a procedure and transfers control 
through a back-link on the stack to the 
program 

procedure. 


An intrasegment RET restores the value of 


IP that was saved on the stack by the previous 


that originally invoked the 
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intrasegment CALL instruction. An inter- 
segment RET restores the values of both CS 
and IP which were saved on the stack by the 
previous intersegment CALL instruction. 


RET instructions may optionally specify a 
constant to the stack pointer. This constant 
specifies the new top of stack to effectively 
remove any arguments that the calling 
program pushed on the stack before the 
execution of the CALL instruction. 


Example: RET 


If the previous CALL instruction 
did not transfer control to a new 
code segment, RET restores the 
value of IP pushed by the CALL: 
instruction. If the previous CALL 
instruction transferred control to 
a new segment, RET restores the 
values of both IP and CS which 
were pushed on the stack by the 
CALL instruction. 


Example: RET n 


This form of the RET instruction 
performs identically to the above 
example except that it adds n 
(must be an even value) to the 
value of SP to eliminate n bytes 
of parameter information previ- 
ously pushed by the calling 
program. 


IRET (Return From Interrupt or Nested 
Task) returns control to an interrupted 
routine or, optionally, reverses the action of a 
CALL or INT instruction that caused a task 
switch. See Chapter 8 for further information 
on task switching. . 


Example: IRET 


Returns from an interrupt with or 
without a task-switch based on the 
value of the NT bit. 
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3.6.2 Conditional Transfer Instructions 


The conditional transfer instructions are 
jumps that may or may not transfer control, 
depending on the state of the CPU flags when 
the instruction executes. Instruction encoding 
is most efficient when the target for the 
conditional jumps is in the current code 
segment and within —128 to +127 bytes of 
the first byte of the next instruction. Alter- 
natively, the opposite sense of the conditional 
jump can skip around an unconditional jump 
to the destination. 


3.6.2.1 CONDITIONAL JUMP INSTRUCTIONS 


Table 3-3 shows the conditional transfer 
mnemonics and their interpretations. The 
conditional jumps that are listed as pairs are 
actually the same instruction. The assembler 
provides the alternate mnemonics for greater 
clarity within a program listing. 


3.6.2.2 LOOP INSTRUCTIONS 


The loop instructions are conditional jumps 
that use a value placed in CX to specify the 
number of repetitions of a software loop. All 
loop instructions automatically decrement CX 
and terminate the loop when CX =0. Four of 
the five loop instructions specify a condition 
of ZF that terminates the loop before CX 
decrements to zero. 


LOOP (Loop While CX Not Zero) is a condi- 
tional transfer that auto-decrements the CX 
register before testing CX for the branch 
condition. If CX is non-zero, the program 
branches to the target label specified in the 
instruction. The LOOP instruction causes the 
repetition of a code section until the opera- 
tion of the LOOP instruction decrements CX 
to a value of zero. If LOOP finds CX=0, 
control transfers to the instruction immedi- 


Table 3-3. Interpretation of Conditional Transfers 


Unsigned Conditional Transfers 
_—"oee Condition Tested ‘Jump If. 


JA/JNBE (CF or ZF) = 0 
JAE/JJINB CF =0 
JB/JNAE CF = 1 
JBE/JNA (CF or ZF) = 1 
JC CF =1 
JE/JZ ZF =1 
JNC CF =0 
JNE/JNZ ZF =0 
JNP/JPO  PF=0 
JP/JPE PF =1 


above/not below nor equal 
above or equal/not below 
below/not above nor equal 
below or equal/not above 
carry | 

equal/zero | 

not carry 

not equal/not zero 

not parity/parity odd 
parity/parity even 


Signed Conditional Transfers 


JG/JNLE 
JGE/JNL 
JL/JNGE 
JLE/JNG 
JNO OF =0 
JNS SF =0 
JO OF =1 
JS _ SF=1 


(SF xor OF) = 0 
(SF xor OF) = 0 


((SF xor OF) or ZF) = 0 


((SF xor OF) or ZF) = 1 


greater/not less nor equal 
greater or equal/not less 
less/not greater nor equal 
less or equal/not greater 
not overflow 

~ not sign (positive, including 0) 
overflow 
sign (negative) 
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ately following the LOOP instruction. If the 
value of CX is initially zero, then the LOOP 
executes 65536 times. 


Example: LOOP START_ LOOP 


Each time the program encoun- 
ters this instruction, it decre- 


ments CX and then tests it. If the 


value of CX is non-zero, then the 

program branches to the instruc- 

tion labeled START_LOOP. If 

the value in CX is zero, then. the 

program continues with -the 

instruction that follows the LOOP 
- Instruction. 


LOOPE ee While. Equal and LOOPZ 
(Loop While Zero) are physically the same 
instruction. These instructions auto-decre- 
ment the CX register before testing CX and 
ZF for the branch conditions. If CX is non- 
zero and ZF= 1, the program branches to the 
target label specified in’ the instruction. If 


LOOPE or LOOPZ finds that CX=O or 


ZF=0, control: transfers to the instruction 
immediately succeeding the LOOPE or 
LOOPZ instruction. — 


LOOPE START_ LOOP i 
LOOPZ START _LOOP) 


Example: 


Each time the program encoun- 
ters this instruction, it decre- 
ments CX and tests CX and ZF. 
If the value in CX is non-zero and 
the value of ZF is 1, the program 

_ branches to the instruction labeled 
START_LOOP. If CX=0O or 
ZF=0; the program continues 
with the instruction that follows 
the LOOPE (or LOOPZ) 
instruction. 


LOOPNE (Loop While Not Equal) and 
LOOPNZ (Loop While Not Zero) are physi- 
cally the same instruction. These instructions 
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auto-decrement the CX register before testing 
CX and ZF for the branch conditions. If CX 
is non-zero and ZF=0, the program branches 
to the target label specified in the instruction. 
If LOOPNE or LOOPNZ finds that CX =0 
or ZF=1, control transfers to the instruction 
immediately succeeding the LOOPNE or 
LOOPNZ instruction. 

Example: LOOPNE START_LOOP (or 
LOOPNZ START_LOOP) 


Each time the program encoun- 
ters this instruction, it decre- 
ments CX and tests CX and ZF. 
If the value of CX is non-zero and 
the value of ZF is 0, the program 
branches to the instruction labeled 
START_LOOP. If CX=0O or 
ZF=1, the program continues 
with the instruction that follows 
the LOOPNE (or LOOPNZ) 
instruction. 


- 3.6.2.3 EXECUTING A LOOP OR REPEAT 


ZERO TIMES 


JCXZ (Jump if CX Zero) branches to the 
label specified in the instruction if it. finds a 
value of zero in CX. Sometimes, it is desira- 
ble to design a loop that executes zero times 
if the count variable in CX is initialized to 
zero. Because the LOOP instructions (and 
repeat prefixes) decrement CX before they 
test it, a loop will execute 65536 times if the 
program enters the loop with a zero value in 
CX. A programmer may conveniently 


overcome this problem with JCXZ, which 


enables the program to branch around -the 
code within the loop if CX is zero when JCXZ 


executes. 


Ran: JCXZ TARGETLABEL 


Causes the program to branch 

to the instruction labeled 
TARGETLABEL if CX =0 when 
the instruction executes. 
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3.6.3 Software-Generated Interrupts 


The INT n and INTO instructions allow the 
programmer to specify a transfer to an inter- 
rupt service routine from within a program. 
Interrupts 0-31 are reserved by Intel. 


3.6.3.1 SOFTWARE INTERRUPT INSTRUCTION 
INT n (Software Interrupt) activates the 
interrupt service routine that corresponds to 
the number coded within the instruction. 
Interrupt type 3 is reserved for internal 
software-generated interrupts. However, the 
INT instruction may.specify any interrupt 
type to allow multiple types of internal inter- 
rupts or to test the operation of a service 
routine. The interrupt service routine termi- 
nates with an IRET instruction that returns 
control to the instruction that follows INT. 


Example: INT 3 


Transfers control to the interrupt 
service routine specified by a type 
3 interrupt. 


Example: INTO 


Transfers control to the interrupt 
service routine specified by a type 
QO interrupt, which is reserved for 
a divide error. 


INTO (Interrupt on Overflow) invokes a type 
4 interrupt if OF is set when the INTO 
instruction executes. The type 4 interrupt is 
reserved for this purpose. 


Example: INTO 


If the result of a previous opera- 
tion has set OF and _ no interven- 
ing operation has reset OF, then 
_ INTO invokes a type 4 interrupt. 
The interrupt service routine 
terminates with an IRET instruc- 
tion, which returns control to the 
instruction following INTO. 


3.7 CHARACTER TRANSLATION AND . 
STRING INSTRUCTIONS 


The instructions in this category operate on 
characters or string elements rather than on 
logical or numeric values. 


3.7.1 Translate Instruction 


XLAT (Translate) replaces a byte in the AL 
register with a byte from a user-coded trans- 
lation table. When XLAT is executed, AL 
should have the unsigned index to the table 
addressed by BX. XLAT changes the contents 
of AL from table index to table entry. BX is 
unchanged. The XLAT instruction is useful 
for translating from one coding system to 
another such as from ASCII to EBCDIC. The 
translate table may be up to 256 bytes long. 
The value placed in the AL register serves as 
an index to the location of the corresponding 
translation value. Used with a LOOP instruc- 
tion, the XLAT instruction can translate a 
block of codes up to 64K bytes long. 


Example: XLAT 


Replaces the byte in AL with the 
byte from the translate table that 
is selected by the value in AL. 


3.7.2 String Manipulation Instructions and 
Repeat Prefixes 


The string instructions (also called primi- 
tives) operate on string elements to move, 
compare, and scan byte or word strings. One- 
byte repeat prefixes can cause the operation 
of a string primitive to be repeated to process 
strings as long as 64K bytes. 


The repeated string primitives use the direc- 
tion flag, DF, to specify left-to-right or right- 
to-left string processing, and use a count in 
CX to limit the processing operation. These 
instructions use the register pair DS:SI to 
point to the source string element and the 
register pair ES:DI to point to the 
destination. | : 
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One of two possible opcodes represent. each 
string primitive, depending on whether it is 
operating on byte strings or word strings. The 
string primitives are generic and require one 
or more operands along with the primitive to 
determine the size of the string elements being 
processed. These operands do not determine 
the addresses of the strings; the addresses 
must already be present in the appropriate 
registers. | 


Each repetition of a string operation using the 
Repeat prefixes includes the following steps: 


1. Acknowledge pending interrupts. 


2. Check CX for zero and stop repeating if | 


CX is zero. 
3. Perform the string operation once. 


4. Adjust the memory pointers in DS:SI and 
ES:DI by incrementing SI and DI if DF 
is O or by decrementing SI and DI if DF 
is 1. 


5. Decrement CX (this step does not affect — 


_ the flags). 


6. For SCAS (Scan String) and CMPS 
(Compare String), check ZF for a match 
with the repeat condition and stop 
repeating if the ZF fails to match, 


The Load String and Store String instruc- 
tions allow a program to perform arithmetic 
or logical operations on string characters 
(using AX for word strings and AL for byte 
strings). Repeated operations that include 
instructions other than string primitives must 
use the loop instructions rather than a repeat 
prefix. : 


3.7.2.1 STRING MOVEMENT INSTRUCTIONS 


REP (Repeat While CX Not Zero) specifies 
a repeated operation of a string primitive. The 
REP prefix causes the hardware to automat- 
ically repeat the associated string primitive 
until CX=0. This form of iteration allows the 
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CPU to process strings much faster than 
would be possible with a regular software 
loop. - 


When the REP prefix accompanies a MOVS 
instruction, it operates as a memory-to- 
memory block transfer. To set up for this 
operation, the program must initialize CX and 
the register pairs DS:SI and ES:DI. CX 
specifies the number of bytes or words in the 
block. | | 


If DF=0, the program must point DS:SI to 
the first element of the source string and point 
ES:DI to the destination address for the first 
element. If DF=1, the program must point 
these two register pairs to the last element of 
the source string and to the destination 
address for the last element, respectively. 


Example: REP MOVSW 


The processor checks the value in 
CX for zero. If this value is not 
zero, the processor moves a word 
from the location pointed to by 
DS:SI to the location pointed to 
by ES:DI and increments SI and 
DI by two (if DF=0). Next, the 
processor decrements CX by one 
and returns to the beginning of 
the repeat cycle to check CX 
again. After CX decrements to 
zero, the processor executes the 
instruction that follows. 


MOVS (Move String) moves the string 


character pointed to by the combination of DS 
and SI to the location pointed to by the 
combination of ES and DI. This is the only 
memory-to-memory transfer supported by the 
instruction set of the base architecture. 
MOVSB operates on byte elements. The 
destination segment register cannot be 
overridden by a segment override prefix while 
the source segment. register can be 
overridden. | | 
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Example: MOVSW 


Moves the contents of the 
memory byte pointed to by DS:SI 
to the location pointed to by 
ES:DI. 


3.7.2.2 OTHER STRING OPERATIONS 


CMPS (Compare Strings) subtracts the 
destination string element (ES:DI) from the 
source string element (DS:SI) and updates the 
flags AF, SF, PF, CF and OF. If the string 
elements are equal, ZF=1; otherwise, ZF=O. 
If DF=0, the processor increments the 
memory pointers (SI and DI) for the two 
strings. The segment register used for the 
source address can be changed with a segment 
override prefix while the destination segment 
register cannot be overridden. 


Example: CMPSB 


Compares the source and desti- 
nation string elements with each 
other and returns the result of the 
comparison to ZF. 


SCAS (Scan String) subtracts the destination 
string element at ES:DI from AX or AL and 
updates the flags AF, SF, ZF, PF, CF and 
OF. If the values are equal, ZF=1; other- 
wise, ZF=0. If DF=0, the processor incre- 
ments the memory pointer (DI) for the string. 
The segment register used for the source 
address can be changed with a segment 
override prefix while the destination segment 
register cannot be overridden. 


Example: SCASW 


Compares the value in AX with 
the destination string element. 


REPE/REPZ (Repeat While CX Equal/Zero) 
and REPNE/REPNZ (Repeat While CX Not 
Equal/Not Zero) are the prefixes that are 
used exclusively with the SCAS (Scan 
String) and CMPS a a String) 
primitives. 
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The difference between these two types of 
prefix bytes is that REPE/REPZ terminates 
when ZF=0 and REPNE/REPNZ termi- 
nates when ZF=1. ZF does not require 
initialization before execution of a repeated 
string instruction. 


When these prefixes modify either the SCAS 
or CMPS primitives, the processor compares 
the value of the current string element with 
the value in AX for word elements or with 
the value in AL for byte elements. The 
resulting state of ZF can then limit the 
operation of the repeated operation as well as 
a zero value in CX. 


Example: REPE SCASB © 


Causes the processor to scan the 

string pointed to by ES:DI until 

it encounters a match with the 

byte value in AL or until CX 
- decrements to zero. 


LODS (Load String) places the source “a 
element at DS:SI into AX for word strings or 
into AL for byte strings. 


LODSW 


Loads AX with the value pointed 
to by DS:SI. 


Example: 


3.8 ADDRESS MANIPULATION 
INSTRUCTIONS 


The set of address manipulation instructions 
provide a way to perform address calcula- 
tions or to move to a new data segment or 
extra segment. 


LEA (Load Effective Address) transfers the 
offset of the source operand (rather than its 
value) to the destination operand. The source 
operand must be a memory operand, and the 
destination operand must be a 16-bit general 
register (AX, DX, BX, CX, BP, SP, SI, 
or DI). 
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LEA does not affect any flags. This instruc- 
tion is useful for initializing the registers 
before the execution of the string primitives 
or the XLAT instruction. 


ciate LEA BX EBCDIC_ TABLE 


Causes the processor to place 
the address of the starting 
location of the table labeled 
EBCDIC_TABLE into BX. 


LDS (Load Pointer Using DS) transfers a 
32-bit pointer variable from the source 
operand to DS and the destination register. 
The source operand must be a memory 
operand, and the destination operand must be 
a 16-bit general register (AX, DX, BX, CX, 
BP, SP, SI or DI). DS receives the high-order 
segment word of the pointer. The destination 
register receives the low-order word, which 
points to a specific location within the 
segment. 


LDS SI, STRING_X 
Loads DS with the word identi- 


Example: 


fying the segment pointed to by. 


STRING_X, and loads the offset 
of STRING_X into SI. Specify- 
ing SI as the destination operand 
is a convenient way to prepare for 
a string operation on a source 
string that is not in the current 
data segment. 


LES (Load Pointer Using ES) operates 
identically to LDS except that ES receives the. 


offset word rather than DS. 


LES DI, DESTINATION_X 


Loads ES with the word identi- 
fying the segment pointed to by 
DESTINATION_X, and loads 
the offset of DESTINATION_X 
into DI. This instruction provides 


Example: 
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a convenient way to select a 
destination for a string operation 
if the desired location is not in the 
current extra segment. 


3.9 FLAG CONTROL INSTRUCTIONS 


The flag control instructions provide a method 
of changing the state of bits in the flag 
register. 


3.9.1 Carry Flag Control Instructions 


The carry flag instructions are useful in 
conjunction with rotate-with-carry instruc- 
tions RCL and RCR. They can initialize the 

carry flag,.CF, to a known state before 
execution of a rotate that moves the carry bit 
into one end of the rotated operand. 


STC (Set Carry Flag) sets the carry flag (CF) 


tol. 


Example: STC 

CLC (Clear Caney Flag) zeros the carry Hae 
(CF). 
Example: CLC) 

CMC (Complement Carry Flag) reverses the 
current status of the carry flag (CF). 


Example: CMC 


3.9.2 Direction Flag Control Instructions 


The direction flag control instructions are 
specifically included to set or clear the direc- 
tion flag, DF, which controls the left-to-right 
or right-to-left direction of string processing. 
IF DF=0, the processor automatically incre- 
ments the string memory pointers, SI and DI, 
after each execution of a string primitive. If 
DF=1, the processor decrements these 
pointer values. The initial state of DF is 0. 
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CLD (Clear Direction Flag) zeros DF, causing 
the string instructions to auto-increment SI 
and/or DI. CLD does not affect any other 
flags. 

Example: CLD 


STD (Set Direction Flag) sets DF to 1, 


causing the string instructions to auto-decre-_ 


ment SI and/or DI. STD does not affect any 
other flags. 


Example: STD 


3.9.3 Flag Transfer Instructions 


Though specific instructions exist to alter CF 
and DF, there is no direct method of altering 
the other flags. The flag transfer instructions 
allow a program to alter the other flag bits 
with the bit manipulation instructions after 
transferring these flags to the stack or the AH 
register. 


The PUSHF and POPF instructions are also 
useful for preserving the state of the flag 
register before executing a procedure. 


LAHF (Load AH from Flags) copies SF, ZF, 
AF, PF, and CF to AH bits 7, 6, 4, 2, and 0, 
respectively (see figure 3-13). The contents of 
the remaining bits (5, 3, and 1) are undefined. 
The flags remain unaffected. This instruction 
can assist in converting 8080/8085 assembly 
language programs to run on the base archi- 


tecture of the iAPX 86, 88, 186, 
and 286. 
Example: LAHF 


SAHF (Store AH into Flags) transfers bits 7, 
6, 4, 2, and 0 from AH into SF, ZF, AF, PF, 
and CF, respectively. (see figure 3-13). This 
instruction also provides 8080/8085 compat- 
ibility with the iAPX 86, 88, 186, and 286. 


Example: SAHF 
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REGISTER AH 


LAHF loads five flags from the flag register into register AH. SAHF 
stores these same five flags from AH into the flag register. The 
bit position of each flag is the same in AH as it is in the flag 
register. The remaining bits are indeterminate. 


Figure 3-13. LAHF and SAHF 


PUSHF (Push Flags) decrements SP by two 
and then transfers all flags to the word at the 
top of stack pointed to by SP (see figure 
3-14). The flags remain unaffected. This 
instruction enables a procedure to save the 
state of the flag register for later use. 
Example: PUSHF 

POPF (Pop Flags) transfers snes bits from 
the word at the top of stack into the low-order 
byte of the flag register (see figure 3-14). The 
processor then increments SP by two. 


Note that an application program in the 
protected virtual address mode may not alter 
IOPL (the I/O privilege level flag) unless the 
program is executing at privilege level 0. A 
program may alter IF (the interrupt flag) only 
when executing at a level that is at least as 
privileged as IOPL. ; 


Procedures may use this instruction to restore 
the flag status from a previous value. 


Example: FOE 


3. 10 BINARY-CODED DECIMAL 
ARITHMETIC INSTRUCTIONS 


These instructions adjust the results of ¢ a 
previous arithmetic operation to produce a 
valid packed or unpacked decimal result. 
These instructions operate only on AL or AH 
registers. 
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SEO 


STACK WORD 


‘PUSHF decrements SP by 2 bytes (1 word) and copies the contents of the flag register to the top of stack. POPF loads the flag register 
with the contents of the last word pushed onto the stack. The bit position of each flag is the same in the stack word as it is in the flag 
register. Only programs executing at the highest privilege level (level 0) may alter the 2-bit lOPL flag. Only programs executing at a level at 


least as privileged as that indicated by IOPL may alter IF.. 


Figure 3-14. PUSHF and POPF 


3.10.1 Packed BCD Adjustment 
Instructions 


| DAA (Decimal Adjust) soreees the result of 
adding two valid packed decimal operands in 
AL. DAA must always follow the addition of 
two pairs of packed decimal numbers (one 
digit in each nibble) to obtain a pair of valid 
packed decimal digits as results. The carry 
flag will be set if carry was needed. 

Example: DAA 

DAS (Decimal Adjust for Subtraction) 
corrects the result of subtracting two valid 
packed decimal operands in AL. DAS must 
always follow the subtraction of one pair of 
packed decimal numbers (one digit in each 
nibble) from another to obtain a pair of valid 
packed decimal digits as results. The carry 
flag will be set if a borrow was needed. 


Example: DAS 


3.10.2 Unpacked BCD Adjustment 
| Instructions 


AAA (ASCII Adjust for Addition) changes 
the contents of register AL to a valid 
unpacked decimal number, and zeros the top 
4 bits. AAA must always follow the addition 
of two unpacked decimal operands in AL. The 
carry flag will be set and AH will be incre- 
mentee ifa oy was necessary. 


Example: AAA 


AAS (ASCH Adjust for Subtraction) changes 
the contents of register AL to a valid 
unpacked decimal number, and zeros the top 
4 bits. AAS must always follow the subtrac- 
tion of one unpacked decimal operand from 


~ another in AL. The carry flag will be set and 
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AH decremented if a borrow was necessary. 


Example: AAS 


AAM (ASCII Adjust for Multiplication) - 
corrects the result of a multiplication of two 
valid unpacked decimal numbers. AAM must 
always follow the multiplication of two 
decimal numbers to produce a valid decimal 
result. The high order digit will be left in AH, 
the low. order digit in AL. | 


Example: | AAM 7 


AAD (ASCII Adjust for Division) modifies 
the numerator in AH and AL to prepare for 
the division of two valid unpacked decimal 
operands so that the quotient produced by the 
division will be a valid unpacked decimal 
number. AH should contain the high-order 
digit and AL the low-order digit. This 
instruction will adjust the value and leave it 
in AL. AH will contain 0. | ee a 


Example: AAD 
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3.11 TRUSTED INSTRUCTIONS 


When operating in Protected Mode (Chapter 
6 and following), the iAPX 286 processor 
restricts the execution of trusted instructions 
according to the Current Privilege Level 
(CPL) and the current value of IOPL, the 
2-bit I/O privilege flag. Only a program 
operating at the highest privilege level (level 
0) may alter the value of IOPL. A program 
may execute trusted instructions only when 
executing at a level that is at least as privi- 
leged as that specified by IOPL. 


Trusted instructions control I/O operations, 
interprocessor communications in a multipro- 
cessor system, interrupt enabling, and the 
HLT instruction. 


These protection considerations do not apply 
in the real address mode. — 


3.11.1 Trusted and Privileged Restrictions 
on POPF and IRET 


POPF (POP Flags) and IRET (Interrupt 
Return) are not affected by IOPL unless they 
attempt to alter IF (flag register bit 9). To 
change IF, POPF must be part of a program 
that is executing at a privilege level greater 
than or equal to that specified by IOPL. Any 
attempt to change IF when CPL = 0 will be 
ignored (i.e., the IF flag will be ignored). To 
change the IOPL field, CPL must be zero. 


3.11.2 Machine State Instructions 


These trusted instructions affect the machine 
state control interrupt response, the processor 
halt state, and the bus LOCK signal that 
regulates memory access in multiprocessor 
systems. 


CLI (Clear Interrupt-Enable Flag) and STI 
(Set Interrupt-Enable Flag) alter bit 9 in the 
flag register. When IF=0O, the processor 
responds only to internal interrupts and to 
non-maskable external interrupts. When 
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[F=1, the processor responds to all inter- 
rupts. An interrupt service routine might use 
these instructions to avoid further interrup- 
tion while it processes a previous interrupt 
request. As with the other flag bits, the 
processor clears IF during initialization. These 
instructions may be executed only if CPL < 
IOPL. A protection exception will occur if 
they are executed when CPL > IOPL. 


Example: STI 
Sets IF=1, which enables the 
processing of maskable external 
interrupts. 

Example: CLI 


Sets IF=0O to disable maskable 
interrupt processing. 


HLT (Halt) causes the processor to suspend 
processing operations pending an interrupt or 
a system reset. This trusted instruction 
provides an alternative to an endless software 
loop in situations where a program must wait 
for an interrupt. The return address saved 
after the interrupt will point to the instruc- 
tion immediately following HLT. This 
instruction may be executed only when 
CPL = 0. 


Example: HLT 


LOCK (Assert Bus Lock) is a I-byte prefix 
code that causes the processor to assert the 
bus LOCK signal during execution of the 
instruction that follows. LOCK does not affect 
any flags. LOCK may be used only when CPL 
<= IOPL. A protection exception will occur if 
LOCK is used when CPL > IOPL. 


3.11.3 Input and Output Instructions 


These trusted instructions provide access to 


the processor’s I/O ports to transfer data to 
and from peripheral devices. In Protected 
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Mode, these instructions may be executed 
only when CPL = IOPL. | 


IN (Input from Port) transfers a byte or a 
word from an input port to AL or AX. If a 
program specifies AL with the IN instruc- 
tion, the processor transfers 8 bits from the 
selected port to AL. Alternately, if a program 
specifies AX with the IN instruction, the 
processor transfers 16 bits from the port 
to AX. 


The program can specify the number of the 
port in two ways. Using an immediate byte 
constant, the program can specify 256 8-bit 
ports numbered 0 through 255 or 128 16-bit 
ports numbered 0,2,4,...,.252,254. Using the 
current value contained in DX, the program 


can specify 8-bit ports numbered 0 through 


65,535, or 16-bit ports using even- -numbered 
ports in the same Tange. 


IN AL. 


Example: 
| BYTE_PORT_NUMBER 


Teanstors 8 


bits to AL 
from the port identified 
by the immediate constant 


BYTE_PORT_NUMBER. 


OUT (Output to Port) transfers a byte or a 
word to an output port from AL or AX. The 
program can specify the number of the port 
using the same methods of the IN instruc- 
tion. 


OUT AX, DX — 


Transfers 16 bits from AX to the 
port identified by the 16-bit 
number contained in DX. 


Example: | 


INS and OUTS (Input String and Output 
String) cause block input or output opera- 
tions using a Repeat prefix. See Chapter 4 for 
more information on INS and OUTS.. - 
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Example: 


3.12 PROCESSOR EXTENSION 
INSTRUCTIONS 

Processor Extension provides an extension to 
the instruction set of the base architecture 
(e.g., 80287). The NPX extends the instruc- 
tion set of the CPU-based architecture to 
support high-precision integer and floating- 
point calculations. This extended instruction 
set includes. arithmetic, comparison, 
transcendental, and data transfer instruc- 
tions. The NPX also contains a set of useful 
constants to enhance the speed of numeric 
calculations. 


A program contains instructions for the NPX 
in line with the instructions for the CPU. The 
system executes these instructions in the same 
order as they appear in the instruction stream. 
The NPX operates concurrently with the 
CPU to provide maximum throughput for 
numeric calculations. . 


The software emulation of the NPX is trans- 
parent to application software but requires 
more time for execution. : 


3.12.1 Processor Extension 
Synchronization Instructions 


Escape and wait instructions allow’a proces- 
sor extension such as the 80287 NPX to 
obtain instructions and data from the system 
bus and to wait for the NPX to return a result. 


ESC (Escape) identifies floating point 
numeric instructions and allows the iAPX 286 
to send the opcode to the NPX or to transfer 
a memory operand to the NPX. The 80287 
NPX uses the Escape instructions to perform 
high-performance, high-precision floating 
point arithmetic that conforms to the IEEE 
floating point standard 754. 


ESC 6, ARRAY [SI] 


The CPU sends the escape opcode 
6 and the location of the array 
pointed to by SI to the NPX. 
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WAIT (Wait) suspends program execution 
until the iAPX 286 CPU detects a signal on 
the BUSY pin. In an iAPX 286/20 configu- 
ration that includes a numeric processor 
extension, the NPX activates the BUSY pin 
to signal that it has completed its processing 
task and that the CPU may obtain the results. 


Example: WAIT 


3.12.2 Numeric Data Processor 
Instructions 


This section describes the categories of 
instructions available with Numeric Data 
Processor systems that include a Numeric 
Processor Extension or a software emulation 
of this processor extension. Refer to the 
Numeric Supplement following Appendix D 
and to the 80287 data sheet for more 
information. 


3.12.2.1 ARITHMETIC INSTRUCTIONS 


The extended instruction set includes not only 
the four arithmetic operations (add, subtract, 
multiply, and divide), but also subtract- 
reversed and divide-reversed instructions. The 
arithmetic functions include square root, 
modulus, absolute value, integer part, change 
sign, scale exponent, and extract exponent 
instructions. 
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3.12.2.2 COMPARISON INSTRUCTIONS 


The comparison operations are the compare, 
examine, and test instructions. Special forms 
of the compare instruction can optimize 
algorithms by allowing comparisons of binary 
integers with real numbers in memory. 


3.12.2.3 TRANSCENDENTAL INSTRUCTIONS 


The instructions in this group perform the 
otherwise time-consuming calculations for all 
common trigonometric, inverse trigonome- 
tric, hyperbolic, inverse hyperbolic, logarith- 
mic, and exponential functions. The 
transcendental instructions include tangent, 
arctangent, 2 x —1, Y . log,X, and Y. log, 
(X+1). 


3.12.2.4 DATA TRANSFER INSTRUCTIONS 


The data transfer instructions move operands 
among the registers and between a register 
and memory. This group includes the load, 
store, and exchange instructions. 


3.12.2.5 CONSTANT INSTRUCTIONS 


Each of the constant instructions loads a 
commonly used constant into an NPX regis- 
ter. The values have a real precision of 64 bits | 
and are accurate to approximately 19 decimal 
places. The constants loaded by these instruc- 
tions include 0, |, Pi, log, 10, log, e, log,) 2, 
and log 2.. 


Extended Instruction Set 
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CHAPTER 4 
EXTENDED INSTRUCTION SET 


The instructions described in this chapter 
extend the capabilities of the base architec- 
ture instruction set described in Chapter 3. 
These extensions consist of new instructions 
and variations of some instructions that are 
not strictly part of the base architecture (in 
other words, not included in the iAPX 86, 88). 
These instructions are also available in the 
iAPX 186, 188. The instruction variations, 
described in Chapter 3, include the immedi- 
ate forms of the PUSH and MUL instruc- 
tions, PUSHA, POPA, and the privilege level 
restrictions on POPF. 


New instructions described in this chapter 
include the string input and output instruc- 
tions (INS and OUTS), the ENTER proce- 
dure and LEAVE procedure instructions, and 
the check index BOUND instruction. 


4.1 BLOCK I/0 INSTRUCTIONS 


REP, the Repeat prefix, modifies INS and 
OUTS (the string I/O instructions) to provide 
a means of transferring blocks of data 
between an I/O port and Memory. These 
block I/O instructions are string primitives. 
They simplify programming and increase the 
speed of data transfer by eliminating the need 
to use a separate LOOP instruction or an 
intermediate register to hold the data. 


INS and OUTS are trusted instructions. To 
use trusted instructions, a program must 
execute at a privilege level at least as privi- 
leged as that specified by the 2-bit IOPL flag 
(CPL < IOPL). Any attempt by a less-privi- 
leged program to use a trusted instruction 
results in a protection exception. See Chapter 
7 for information on protection concepts. 


One of two possible opcodes represents each 
string primitive depending on whether it 
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Operates on byte strings or word strings. After 
each transfer, the memory address in SI or 
DI is updated by 1 for byte values and by 2 
for word values. The value in the DF field 
determines if SI or DI is to be auto incre- 
mented (DF=0O) or auto decremented 
(DF=1). 


INS and OUTS use DX to specify I/O ports 
numbered 0 through 65,535 or 16-bit ports 
using only even port addresses in the same 
range. 


INS (Input String from Port) transfers a byte 
or a word string element from an input port 
to memory. If a program specifies INSB, the 
processor transfers 8 bits from the selected 
port to the memory location indicated by 
ES:DI. Alternately, if a program specifies 
INSW, the processor transfers 16 bits from 
the port to the memory location indicated by 
ES:DI. The destination segment register 
choice (ES) cannot be changed for the INS 
instruction. 


Combined with the REP prefix, INS moves a 
block of information from an input port to a 
series of consecutive memory locations. 


Example: REP INSB 


_ The processor repeatedly trans- 
fers 8 bits to the memory location 
indicated by ES:DI from the port 
selected by the 16-bit port number 
contained in DX. Following each 
byte transfer, the CPU decre- 
ments CX. The instruction termi- 
nates the block transfer when 
CX=0. After decrementing CX, 
the processor increments DI by 
one if DF=0. It decrements DI 
by one if DF=1. 
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OUTS (Output String to Port) transfers a 
byte or a word string element to an output 
port from memory. Combined with the REP 
prefix, OUTS moves a block of information 
from a series of consecutive memory locations 
indicated by DS:SI to an output port. 


REP OUTS WSTRING 


Assuming that the program 
declares WSTRING to be a 
word-length string element, the 
assembler uses the 16-bit form of 
the OUTS instruction to create 
the object code for the program. 
The processor repeatedly trans- 
fers words from the memory 
locations indicated by DI to the 
output port selected by the 16-bit 
port number in DX. 


Example: 


Following each word transfer, the 
CPU decrements CX. The 
instruction terminates the block 
transfer when CX=O. After 
decrementing CX, the processor 


increments SI by two to point to — 


the next word in memory if 
DF=0, it decrements SI by two 
if DF=1. 


4.2 HIGH-LEVEL INSTRUCTIONS | 


The instructions in this section provide 
machine-language functions normally found 
only in high-level languages. These instruc- 
tions include ENTER and LEAVE, which 
simplify the programming of procedures, and 
BOUND, which provides a simple method of 
testing an index against its predefined range. 


ENTER (Enter Procedure) creates the stack 
frame required by most block-structured high- 
level languages. A LEAVE instruction at the 
end of a procedure complements an ENTER 
at the beginning of the procedure to simplify 
stack management and to control access to 
variables for nested procedures. 
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ENTER 2048,3 


Allocates 2048 bytes of dynamic 
storage on the stack and sets up 
pointers to two previous stack 
frames in the stack frame that 
ENTER creates ffor _ this 
procedure. 


Example: 


The ENTER instruction includes two param- 
eters. The first parameter specifies the 
number of bytes of dynamic storage to be 
allocated on the stack for the routine being 
entered. The second parameter corresponds to 
the lexical nesting level (0-31) of the routine. 
(Note that the lexical level has no relation- 
ship to either the protection privilege levels or 
to the I/O privilege level.) 


The specified lexical level determines how 
many sets of stack frame pointers the CPU 
copies into the new stack frame from the 
preceding frame. This list of stack frame 
pointers is sometimes called the “display.” 
The first word of the display is a pointer to 
the last stack frame. This pointer enables a 
LEAVE instruction to reverse the action of 
the previous ENTER instruction by effec- 
tively discarding the last stack frame. 


After ENTER creates the new display for a 
procedure, it allocates the dynamic storage 
space for that procedure by decrementing SP 
by the number of bytes specified in the first 
parameter. This new value of SP serves as a 
base for all PUSH and POP operations within 
that procedure. 


To enable a procedure to address its display, 
ENTER leaves BP pointing to the beginning 
of the new stack frame. Data manipulation 
instructions that specify BP as a base register 
implicitly address locations within the stack 
segment instead of the data segment. Two 
forms of the ENTER instruction exist: nested 
and non-nested. If the lexical level is 0, the 
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The Formal Definition Of The ENTER Instruction For All Cases Is 
Given By The Following Listing. LEVEL Denotes The Value Of 
The Second Operand. 


Push BP 
Set a temporary value FRAME_PTR := SP 
If LEVEL > 0 then 


Repeat (LEVEL — 1) times: 
BP := BP —2 


Push the word pointed to by BP 
End repeat 
Push FRAME_PTR 
End if 
BP := FRAME_PTR 
SP := SP — first operand. 


Figure 4-1. Formal Definition of the ENTER 
Instruction 


non-nested form is used. Since the second 
operand is 0, ENTER pushes BP, copies SP 
to BP and then subtracts the first operand 
from SP. The nested form of ENTER occurs 
when the second parameter (lexical level) is 
not 0. Figure 4-1 gives the formal definition 
of ENTER. 


The main procedure (with other procedures 
nested within) operates at the highest lexical 
level, level 1. The first procedure it calls 
operates at the next deeper lexical level, level 
2. A level 2 procedure can access the varia- 
bles of the main program which are at fixed 
locations specified by the compiler. In the case 
of level 1, ENTER allocates only the 
requested dynamic storage on the stack 
because there is no previous display to copy. 


A program operating at a higher lexical level 
calling a program at a lower lexical level 
requires that the called procedure should have 
access to the variables of the calling program. 
ENTER provides this access through a 
display that provides addressability to the 
calling program’s stack frame. 


A procedure calling another procedure at the 
same lexical level implies that they are paral- 
lel procedures and that the called procedure 
should not have access to the variables of the 
calling procedure. In this case, ENTER copies 
only that portion of the display from the 
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calling procedure which refers to previously 
nested procedures operating at higher lexical 
levels. The new stack frame does not include 
the pointer for addressing the calling proce- 
dure’s stack frame. 


ENTER treats a reentrant procedure as a 
procedure calling another procedure at the 
same lexical level. In this case, each succeed- | 
ing iteration of the reentrant procedure can 
address only its own variables and the varia- 
bles of the calling procedures at higher lexical 
levels. A reentrant procedure can always 
address its own variables; it does not require 
pointers to the stack frames of previous 
iterations. 


By copying only the stack frame pointers of 
procedures at higher lexical levels, ENTER 
makes sure that procedures access only those 
variables of higher lexical levels, not those at 
parallel lexical levels (see figure 4-2). Figures 
4-2a through 4-2d demonstrate the actions of 
the ENTER instruction if the modules shown 
in figure 4-1 were to call one another in 
alphabetic order. 


Block-structured high-level languages can use 
the lexical levels defined by ENTER to 
control access to the variables of previously 
nested procedures. For example, if 
PROCEDURE A calls PROCEDURE B 
which, in turn, calls PROCEDURE C, then 
PROCEDURE C will have access to the 
variables of MAIN and PROCEDURE A, 
but not PROCEDURE B because they 
operate at the same lexical level. Following is 
the complete definition of the variable access 
for figure 4-2. 


1. MAIN PROGRAM has variables at 
fixed locations. 


2. PROCEDURE A can access only the 
fixed variables of MAIN. 
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MAIN PROGRAM (LEXICAL LEVEL 1) 


PROCEDURE A (LEXICAL LEVEL 2) _ 
| PROCEDURE B (LEXICAL LEVEL 3) 


PROCEDURE C (LEXICAL LEVEL 3) | 


PROCEDURE D (LEXICAL LEVEL 4) 


Figure 4-2. Variable Access in Nested Procedures 


3. PROCEDURE B can access only the 
variables of PROCEDURE A and 
MAIN. PROCEDURE B cannot access 
the variables of PROCEDURE C or 
PROCEDURE D. 


4. PROCEDURE C can access only the 
variables of PROCEDURE A and 
MAIN. PROCEDURE C cannot access 
the variables of PROCEDURE B or 
PROCEDURE D. | 


5. PROCEDURE D can. access _ the 
variables of PROCEDURE os 
PROCEDURE A, = and MAIN. 


PROCEDURE D cannot access the 
variables of PROCEDURE B. 
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ENTER at the beginning of the MAIN 
PROGRAM creates dynamic storage space 
for MAIN but copies no pointers. The first 
and only word in the display points to itself 
because there is no previous value for LEAVE 
to return to BP. See figure 4-2a. 


After MAIN calls PROCEDURE A,. 
ENTER creates a new display for PROCE- 
DURE A with the first word pointing to the 
previous value of BP (BPM for LEAVE to 
return to the MAIN stack frame) and the 
second word pointing to the current value of 
BP. Procedure A can access variables in 
MAIN since MAIN is at level 1. Therefore 
the base for the dynamic storage for MAIN 
is at [BP—2]. All dynamic variables for 
MAIN will be at a fixed offset from this 
value. See figure 4-2b. - 


After PROCEDURE A calls PROCEDURE 
B, ENTER creates a new display for 
PROCEDURE B with the first word point- 
ing to the previous value of BP, the second 
word pointing to the value of BP for MAIN, 
and the third word pointing to the value of 
BP for A and the last word pointing to the 
current BP. B can access variables in A and 
MAIN by fetching from the display the base 
addresses of the respective dynamic storage 
areas. See figure 4-2c. 


After PROCEDURE B calls PROCEDURE 
C, ENTER creates a new display for 
PROCEDURE C with the first word point- 
ing to the previous value of BP; the second 
word pointing to the value of BP for MAIN, 
and the third word pointing to the BP value 
for A and the third word pointing to the 
current value of BP. Because PROCEDURE 
B and PROCEDURE C have the same lexical 
level, PROCEDURE C is not allowed access 
to variables in B and therefore does not 
receive a pointer to the beginning of 
PROCEDURE B's stack Heme. See 
figure 4-2d. | 7 
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DISPLAY 


, DYNAMIC 
STORAGE 


‘BPM = BP VALUE FOR MAIN 


DISPLAY 


Figure 4-2a. Stack Frame for MAIN at Level 1 


DYNAMIC 
STORAGE 


Figure 4-2c. Stack Frame for Procedure B at 
Level 3 Called from A 


LEAVE (Leave Procedure) reverses the action 
of the previous ENTER instruction. The 
LEAVE instruction does not include any 
operands. 


DISPLAY 


Example: LEAVE 


Lays First, LEAVE copies BP to SP to 
_ release all stack space allocated to 
the procedure by the most recent 
ENTER instruction. . Next, 
‘BPA = BP VALUE FOR PROCEDURE A LEAVE pops the old value of BP 
| from the stack. A subsequent 
RET instruction can then remove 
any arguments that were pushed 
on the stack by the calling 
| program for use by the called 
Figure 4-2b. Stack Frame for Procedure A procedure. 
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DISPLAY 


DYNAMIC 
STORAGE 


Figure 4-2d. Stack Frame for Procedure C at 
Level 3 Called from B | 


BOUND (Detect Value Out of Range) verifies 
that the signed value contained in the speci- 
fied register lies within specified limits. An 
interrupt (INT 5) occurs if the value 
contained in the register is less than the lower 
bound or greater than the upper bound. 
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Example: 


The BOUND instruction includes two 
operands. The first operand specifies the 
register being tested. The second operand 
contains the effective relative address of the 
two signed BOUND limit values. The 
BOUND instruction assumes that it can 
obtain the upper limit from the memory word 
that immediately follows the lower limit. 
These limit values cannot be register 
operands; if they are, an invalid opcode 
exception occurs. 


BOUND is useful for checking array bounds 
before using a new index value to access an 
element within the array. BOUND provides 
a simple way to check the value of an index 
register before the program overwrites infor- 
mation in a location beyond the limit of the 
array. | eet 


The two-word block of memory that specifies 
the lower and upper limits of an array might 
typically reside just before the array itself. 
This makes the array bounds accessible at a 
constant offset of —4 from the beginning of 
the array. Because the address of the array 
will already be present in a register, this 
practice avoids extra calculations to obtain the 
effective address of the array bounds. 


BOUND BX,ARRAY—4 


Compares the value in BX with 
the lower limit at address 
ARRAY —4 and the upper limit 
at address ARRAY —2. If the 
signed value in BX is less than the 
lower bound or greater than the 
upper bound, the interrupt for this 
instruction (INT 5) occurs. 
Otherwise, this instruction has no 
effect. 


Real Address Mode 


CHAPTER 5 
REAL ADDRESS MODE 


The iAPX 286 can be operated in either of 
two modes according to the status of the 
Protection Enabled bit of the MSW status 
register. In contrast to the “‘modes”’ and 
‘mode bits” of some processors, however, the 
iAPX 286 modes do not represent a radical 
transition between conflicting architectures. 
Instead, the setting of the Protection Enabled 
bit simply determines whether certain 
advanced features, in addition to the baseline 
architecture of the iAPX 286, are to be 
made available to system designers and 
programmers. 


If the Protection Enabled (PE) bit is set by 
the programmer, the processor changes into 
Protected Virtual Address Mode. In this 
mode of operation, memory addressing is 
performed in terms of virtual addresses, with 


on-chip mapping mechanisms performing the 


virtual-to-physical translation. Only in this 
mode can the system designer make use of the 
advanced architectural features of the iAPX 
286: virtual memory support, system-wide 
protection, and built-in multitasking mecha- 
nisms are among the new features provided in 
this mode of operation. Refer to Part II of 
this manual (Chapters 6 through 11) for 
details on Protected Mode operation. 


Initially, upon system reset, the processor 
starts up in Real Address Mode. In this mode 
of operation, all memory addressing is 
performed in terms of real physical addresses. 
In effect, the architecture of the iAPX 286 in 
this mode is identical to that of the 8086 and 
other processors in the iAPX 86 family. The 


principal features of this baseline architec- | 


ture have already been discussed throughout 
Part I (Chapters 2 through 4) of this manual. 
This chapter discusses certain additional 
topics—addressing, interrupt handling, and 
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system initialization—that complete the 
system programmer’s view of the iAPX 286 
in Real Address Mode. 


5.1 ADDRESSING AND SEGMENTATION 


Like other processors in the iAPX 86 family, 
the iAPX 286 provides a/one-megabyte 
memory space (27° bytes) when operated in 
Real Address Mode. Physical addresses are 
the 20-bit values that uniquely identify each 
byte location in this address space. Physical 
addresses, therefore, may range from 0 
through FFFFFH. ; 


An address is specified by a 32-bit pointer 
containing two components: (1) a 16-bit 
effective address offset that determines the 
displacement, in bytes, of a particular location 
within a segment; and (2) a 16-bit segment 
selector component that determines the start- 
ing address of the segment. Both components 
of an address may be referenced explicitly by 
an instruction (such as JMP, LES, LDS, or 
CALL); more often, however, the segment 
selector is simply the contents of a segment 
register. | 


The interpretation of the first component, the 
effective address offset, is straight-forward. 
Segments are at most 64K (2!'°) bytes in 
length, so an unsigned 16-bit quantity is 
sufficient to address any arbitrary byte 
location with a segment. The lowest-addressed 
byte within a segment has an offset of 0, and 
the highest-addressed byte has an offset of 
FFFFH. Data operands must be completely 
contained within a segment and must be 
contiguous. (These rules apply in both modes.) 


A segment selector is the second component 
of a logical address. This 16-bit quantity 
specifies the starting address of a segment 
within a physical address space of 27° bytes. 
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Whenever the iAPX 286 accesses memory in 
Real Address Mode, it generates a 20-bit 
physical address from a segment selector and 
offset value. The segment selector value is left- 
shifted four bit positions to form the segment 
base address. The offset is extended with 4 
high order zeroes and added to the base to 
form the physical address (see figure 5-1). 


Therefore, every segment is required to start 
at a byte address that is evenly divisible by 
16; thus, each segment is positioned at a 
20-bit physical address whose least signifi- 
cant four bits are zeroes. This arrangement 
allows the iAPX 286 to interpret a segment 


16 BIT SEGMENT SELECTOR 


selector as the high-order 16 bits of a 20-bit 
segment base address. 


No limit or access checks are performed by 
the iAPX 286 in the Real Address Mode. All 
segments are readable, writable, executable, 
and have a limit of OFFFFH (65535 bytes). 
To save physical memory, you can use unused 
portions of a segment as another segment by 
overlapping the two (see figure 5-2). The Intel 


_iAPX 86 software development tools support 


this feature via the segment override and 
group operators. However, programs that 
access segment B from segment A become 
incompatible in the protected virtual address 
mode. 


Figure 5-1a. Forming the Segment Base Address 
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Figure 5-1b.. Forming the 20-Bit Physical Address in the Real Address Mode 
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64K SEGMENT B 


a BASE OF 


OVERLAP 


SEGMENT B 
SEGMENT A 64K 


BASE OF 
SEGMENT A 


Figure 5-2. Overlapping Segments to Save 
Physical Memory 


5.2 INTERRUPT HANDLING 


Program interrupts may be generated in either 
of two distinct ways. An internal interrupt is 
caused directly by the currently executing 
program. The execution of a particular 
instruction results in the occurrence of an 
interrupt, whether intentionally (e.g., an INT 
n instruction) or as an unanticipated excep- 
tion (e.g., invalid opcode). On the other hand, 
an external interrupt occurs asynchronously 
as the result of an event external to the 
processor, and bears no necessary relation- 
ship with the currently executing program. 
The INTR and NMI pins of the iAPX 286 
provide the means by which external 
hardware signals the occurrence of such 
events. . 


5.2.1 Interrupt Vector Table 


Whatever its origin, whether internal or 
external, an interrupt demands immediate 
attention from an associated service routine. 
Control must be transferred, at least for the 
moment, from the currently executing 
program to the appropriate interrupt service 
routine. By means of interrupt vectors, the 
iAPX 286 handles such control transfers 
uniformly for both kinds of interrupts. 
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An interrupt vector is an unsigned integer in 
the range of 0-255; every interrupt is assigned 
such a vector. In some cases, the assignment 
is predetermined and fixed: for example, an 
external NMI interrupt is invariably associ- 
ated with vector 2, while an internal divide 
exception is always associated with vector 0. 
In most cases, however, the association of an 
interrupt and a vector is established dynami- 
cally. An external INTR interrupt, for 
example, supplies a vector in response to an 
interrupt acknowledge bus cycle, while the 
INT n instruction supplies a vector incor- 
porated within the instruction itself. The 
vector is shifted two places left to form a byte 
address into the table (see figure 5-3). 


In any case, the iAPX 286 uses the interrupt 
vector as an index into a table in order to 
determine the address of the corresponding 
interrupt service routine. For Real Address 
Mode, this table is known as the Interrupt 
Vector Table. Its format is illustrated in 
figure 5-3. | 


The Interrupt Vector Table consists of as 
many as 256 consecutive entries, each four 
bytes long. Each entry defines the address of 
a service routine to be associated with the 
correspondingly numbered interrupt vector 
code. Within each entry, an address is speci- 
fied by a full 32-bit pointer that consists of a 
16-bit offset and a 16-bit segment selector. 
Interrupts 0-31 are reserved by Intel. 


In Real Address Mode, the interrupt table can ° 
be accessed directly at physical memory 
location 0 through 1023. In the protected 
virtual address mode, however, the interrupt 
vector table has no fixed physical address and 
cannot be directly accessed. Therefore, Real 
Address mode programs that directly 
manipulate the interrupt vector table will not 
work in the protected virtual address mode. 
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Figure 5-3. Interrupt Vector Table for Real Address Mode 


5.2.1.1 INTERRUPT PRIORITIES Table 5-1. Interrupt Processing Order 
When simultaneous interrupt requests occur, : 
they are processed in a fixed order as shown 
in table 5-1. Interrupt processing involves 
saving the flags, the return address, and 


Instruction exception 


; ; wee oes ; Single ste 
setting CS:IP to point at the first instruction ai : . 
of the interrupt handler. If other interrupts Processor extension segment overrun 
remain enabled, they are processed before the INTR | | 


first instruction of the current interrupt 
handler is executed. The last interrupt 
processed is therefore the first one serviced. 


5.2.2 Interrupt Procedures 


When an interrupt occurs in Real Address 
Mode, the iAPX 86 performs the following INCREASING 


sequence of steps. First, the FLAGS register, 
as well as the old values of CS and IP, are 
pushed onto the stack (see figure 5-4). The 
IF and TF flag bits are cleared. The vector 
number is then used to read the address of 
the interrupt service routine from the inter- Figure 5-4. Stack Structure After Interrupt 
rupt table. Execution begins at this address. _. (Real Address Mode) 


OLDIP (~«— <SS:SP> 


REAL ADDRESS MODE 


Thus, when control is passed to an interrupt 
service routine, the return linkage is placed 
on the stack, interrupts are disabled, and 
single-step trace (if in effect) is turned off. 
The IRET instruction at the end of the inter- 
rupt service routine will reverse these steps 
before transferring control to the program 
that was interrupted. 


An interrupt service routine may affect regis- 
ters other than other IP, CS, and FLAGS. It 
is the responsibility of an interrupt routine to 
save additional context information before 
proceeding so that the state of the machine 
can be restored upon completion of the inter- 
rupt service routine (PUSHA and POPA 
instructions are intended for these opera- 
tions). Finally, execution of the IRET 
instruction pops the old IP, CS, and FLAGS 
from the stack and resumes the execution of 
the interrupted program. 


5.2.3 Reserved and Dedicated Interrupt 
Vectors 


In general, the system designer is free to use 


almost any interrupt vectors for any given 
purpose. Some of the lowest-numbered 
vectors, however, are reserved by Intel for 
dedicated functions; their use is specifically 
implied by certain types of exceptions. None 


of the first 32 vectors should be defined by 


the user; these vectors are either invoked by 
pre-defined exceptions or reserved by Intel for 
future expansion. Table 5-2 shows the 
dedicated and reserved vectors of the iAPX 
286 in Real Address Mode. 


The purpose and function of the dedicated 
interrupt vectors may be summarized as 
follows (the saved value of CS:IP will include 
all \eading prefixes): 


@ Divide error (Interrupt 0). This exception 
will occur if the quotient is too large or 
an attempt is made to divide by zero using 


of CS:IP will 


either the DIV or IDIV instruction. The 
saved CS:IP points at the first byte of the 
failing instruction. DX and AX are 
unchanged. 


Single-Step (Interrupt 1). This interrupt 
will occur after each instruction if the 
Trap Flag (TF) bit of the FLAGS regis- 
ter is set. Of course, TF is cleared upon 
entry to this or any other interrupt to 
prevent infinite recursion. The saved 
value of CS:IP will point to the next 
instruction. 


Nonmaskable (Interrupt 2). This inter- 
rupt will occur upon receipt of an exter- 
nal signal on the NMI pin. Typically, the 
nonmaskable interrupt is used to imple- 
ment power-fail/auto-restart procedures. 
The saved value of CS:IP will point to the 
first byte of the interrupted instruction. 


Breakpoint (Interrupt 3). Execution of 
the one-byte breakpoint instruction causes 
this interrupt to occur. This instruction is 
useful for the implementation of software 
debuggers since it requires only one code 
byte and can be substituted for any 
instruction opcode byte. The saved value 
point to the next 
instruction. 


INTO Detected Overflow (Interrupt 4). 
Execution of the INTO conditional 
software interrupt instruction will cause 
this interrupt to occur if the overflow bit 
(OF) of the FLAGS register is set. The 
saved value of CS:IP will point to the next 
instruction. 


BOUND Range Exceeded (Interrupt 5). 
Execution of the BOUND instruction will 
cause this interrupt to occur if the speci- 
fied array index is found to be invalid 
with respect to the given array bounds. 
The saved value of CS:IP will point to the 
first byte of the BOUND instruction. 
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Table 5-2. Dedicated and Reserved Interrupt Vectors in Real Address Mode 


Return Address 
Before Instruction 
Causing Exception? 


: Related 
Function : 
Instructions 


Divide error exception Ca DIV, IDIV. 


Interrupt 
Number 


re Ce 
[sownormmenowsnsocwn [5 __[eowo | v= 
a 


ESC or WAIT : Yes 


processor extension not available 
exception 


Interrupt table limit too small . eC LIDT 


Any memory reference 

instruction that attempts 

to reference 16-bit word 
at offset OFFFFH. 


a 
rece eamneernean fw —_[escawar [wa 
a 
Fr 


N/A = Not Applicable 


Processor extension segment overrun 
interrupt 


Segment overrun exception 


© Invalid Opcode (Interrupt: 6). This rather than a memory location. The saved 


exception will occur if execution of an value of CS:IP will point to the first byte 
invalid opcode is attempted. (In Real _ of the invalid instruction or opcode. 

_ Address Mode, most of the Protected @ Processor Extension Not Available 
Virtual Address Mode instructions are (Interrupt 7). Execution of the ESC 
classified as invalid and should not be instruction will cause this interrupt to 
used). This interrupt can also occur if the occur if the status bits of the MSW 
effective. address given by certain indicate that processor . extension 
instructions, notably BOUND, LDS, functions are to be emulated in software. 
LES, and LIDT, specifies a register Refer to section 10.2.2 for more details. 
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The saved value of CS:IP will point to the 
first byte of the ESC or the WAITin- 
struction. 


@ Interrupt Table Limit Too Small (Inter- 
rupt 8). This interrupt will occur if the 
limit of the interrupt vector table was 
changed from 3FFH by the LIDT 
instruction and an interrupt whose vector 
is outside the limit occurs. The saved 
value of CS:IP will point to the first byte 
of the instruction that caused the inter- 
rupt or that was ready to execute before 
an external interrupt occurred. No error 
code is pushed. 


@ Processor Extension Segment Overrun 
Interrupt (Interrupt 9). The interrupt will 
occur if a processor extension memory 
operand does not fit in a segment. The 
saved CS:IP will point at the first byte of 
the instruction that caused the interrupt. 


@ Segment Overrun Exception (Interrupt 
13). This interrupt will occur if a memory 
operand does not fit in a segment. In Real 
Mode the only time when this will occur 
is when a word operand begins at segment 
offset OFFFFH. The saved CS:IP will 
point at the first byte of the instruction 
that caused the interrupt. No error code 
is pushed. 


@ Processor Extension Error (Interrupt 16). 
This interrupt occurs after the numeric 
instruction that caused the error. It can 
only occur while executing a subsequent 
WAIT or ESC. The saved value of CS:IP 
will point to the first byte of the ESC or 
the WAIT instruction. The address of the 
failed numeric instruction is saved in the 
NPX. 


5.3 SYSTEM INITIALIZATION 


The iAPX 286 provides an orderly way to 
start or restart an executing system. Upon 
receipt of the RESET signal, certain proces- 
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Table 5-3. Processor State After RESET 


sor registers go into the determinate state 
shown in table 5-3. 


Since the CS register contains FOOO (thus 
specifying a code segment starting at physi- 
cal address FOO00) and the instruction pointer 
contains FFFO, the processor will execute its 
first instruction at physical address FFFFOH. 
The uppermost 16 bytes of physical memory 
are therefore reserved for initial startup logic. 
Ordinarily, this location contains an interseg- 
ment direct JMP instruction whose target is 
the actual beginning of a system initialization 
or restart program. 


Some of the steps normally performed by a 
system initialization routine are as follows: 


@ Allocate a stack. 


@ Load programs and data from secondary 
storage into memory. 
@ Initialize external devices. 


@ Enable interrupts (i.e., set the IF bit of 
the FLAGS register). Set any other 
desired FLAGS bit as well. 


@ Set the appropriate MSW flags if a 
processor extension is present, or if 
processor extension functions are to be 
emulated by software. 


@ Set other registers, as appropriate, to the 
desired initial values. 


e Execute. (Ordinarily, this last step is 
performed as an intersegment JMP to the 
main system program.) 


Memory Management And 
Virtual Addressing 
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CHAPTER 6 
MEMORY MANAGEMENT AND VIRTUAL ADDRESSING 


In Protected Virtual Address Mode, the iAPX 
286 provides an advanced architecture that 
retains substantial compatibility with the 8086 
and other processors in the iAPX 86 family. 
In many respects, the baseline architecture of 
the processor remains constant regardless of 
the mode of operation. Application program- 
mers continue to use the same set of instruc- 
tions, addressing modes, and data types in 
Protected Mode as in Real Address Mode. 


The major difference between the two modes 
of operation is that the Protected Mode 
provides system programmers with additional 
architectural features, supplementary to the 
baseline architecture, that can be used to good 
advantage in the design and implementation 
of advanced systems. Especially noteworthy 
are the mechanisms provided for memory 
management, protection, and multitasking. 


This chapter focuses on the memory manage- 
ment mechanisms of Protected Mode; the 
concept of a virtual address and the process 
of virtual-to-physical address translation are 
described in detail in this chapter. Subse- 
quent chapters deal with other key aspects of 
Protected Mode operation. Chapter 7 
discusses the issue of protection and the 
integrated mechanisms that support a system- 
wide protection policy. Chapter 8 discusses the 
notion of a task and its central role in the 
iAPX 286 architecture. Chapters 9 through 
11 discuss certain additional topics—inter- 
rupt handling, special instructions, system 
initialization, etc.—that complete the system 
programmer’s view of iAPX 286 Protected 
Mode. 


6.1 MEMORY MANAGEMENT OVERVIEW 


A memory management scheme interposes a 
Mapping operation between logical addresses 


(i.e., addresses as they are viewed by 
programs) and physical addresses (i.e., actual 
addresses in real memory). Since the logical 
address spaces are independent of physical 
memory (dynamically relocatable), the 
mapping (the assignment of real address space 
to virtual address space) is transparent to 
software. This allows the program develop- 
ment tools (for static systems) or the system 
software (for reprogrammable systems) to 
control the allocation of space in real memory 
without regard to the specifics of individual 
programs. 


Application programs may be translated and 
loaded independently since they deal strictly 
with virtual addresses. Any program can be 
relocated to use any available segments of 
physical memory. 


The iAPX 286, when operated in Protected 
Mode, provides an efficient on-chip memory 
management architecture. Moreover, as 
described in Chapter 11, the iAPX 286 also 
supports the implementation of virtual 
memory systems—that is, systems that 
dynamically swap chunks of code and data 
between real memory and secondary storage 
devices (e.g., a disk) independent of and 
transparent to the executing application 
programs. Thus, a program-visible address is 
more aptly termed a virtual address rather 
than a logical address since it may actually 
refer to a location not currently present in real 
memory. | 


Memory management, then, consists of a 
mechanism for mapping the virtual addresses 
that are visible to the program onto the 
physical addresses of real memory. With the 
iAPX 286, segmentation is the key to virtual 
memory addressing. Virtual memory is parti- 
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tioned into a number of individual segments, 
which are the units of memory that are 
mapped into physical memory and swapped 
to and from secondary storage devices. Most 
of this chapter is devoted to a detailed discus- 
sion of the mapping and virtual memory 
mechanisms of the iAPX 286. | 


The concept of a task also plays a significant 
role in memory management since distinct 
memory mappings may be assigned to the 
different tasks in a multitask or multi-user 
environment. A complete discussion of tasks 
is deferred until Chapter 8, “Tasks and State 
Transition.” For present purposes, it is suffi- 
cient to think of a task as an ongoing process, 
or execution path, that is dedicated to a 
particular function. In a multi-user time- 
sharing environment, for example, the 
processing required to interact with a partic- 
ular user may be considered as a single task, 
functionally independent of the other tasks 
(i.e., users) in the system. | | 


6.2 VIRTUAL ADDRESSES" 


In Protected Mode, application programs deal 
exclusively. with virtual addresses; programs 
have no access whatsoever to the actual 
physical addresses generated by the proces- 
sor. As discussed in Chapter 2, an address is 
specified by a program in terms of two 
components: (1) a 16-bit effective address 
offset that determines the displacement, in 
bytes, of a location within a segment; and (2) 
a 16-bit segment selector that uniquely refer- 
ences a particular segment. Jointly, these two 
components constitute a complete 32-bit 
address (pointer data type), as shown in 
figure 6-1. | 


These 32-bit virtual addresses are manipu- 
lated by programs in exactly the same way as 
the two-component addresses of Real Address 
Mode. After a program loads the segment 
selector component of an address into a 


segment register, each subsequent reference 
to locations within the selected segment 
requires only a 16-bit offset be specified. 
Locality of reference will ordinarily insure 
that addresses can be specified very efficiently 
using only. 16-bit offsets. 


An important difference between Real 
Address Mode and Protected Mode, however, 
concerns the actual format and information 
content of segment selectors. In Real Address 
Mode, as with the 8086 and other processors 
in the iAPX 86 family, a 16-bit selector is 
merely the upper bits of a segment’s physical 
base address. By contrast, segment selectors 
in Protected Mode follow an entirely differ- 
ent format, as illustrated by figure 6-1. 


Two of the selector bits, designated as the 
RPL field in figure 6-1, are not actually 
involved in the selection and specification of 
segments; their use is discussed in Chapter 7. 


. 32-BIT POINTER 
— 


31 16 15 


SEGMENT SELECTOR SEGMENT OFFSET 


_ SELECTOR 


Figure 6-1. Format of the Segment Selector — 
Component . 
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The remaining 14 bits of the selector compo- 
nent uniquely designate a particular segment. 
The virtual address space of a program, 
therefore, may encompass as many as 16,384 
(2'4) distinct segments. Segments themselves 
are of variable size, ranging from as small as 
a single byte to as large as 64K (2'°) bytes. 
Thus, a program’s virtual address space may 
contain, altogether, up to a full gigabyte 
(230 = 2'4 X 2!6) of individually addressable 
byte locations. 


The entirety of a program’s virtual address 
space is further subdivided into two separate 
halves, as distinguished by the TI (“table 
indicator’) bit in the virtual address. These 
two halves are the global address space and 
the local address space. 


The global address space is used for system- 
wide data and procedures including operating 
system software, library routines, runtime 
language support and other commonly shared 


system services. (To application programs, the 
Operating system appears to be a set of service 
routines that are accessible to all tasks.) 
Global space is shared by all tasks to avoid 
unnecessary replication of system service 
routines and to facilitate shared data and 
interrupt handling. Global address space is 
defined by addresses with a zero in the TI bit 
position; it is identically mapped for all tasks 
in the system. | 


The other half of the virtual address space— 
comprising those addresses with the TI bit 
set—is separately mapped for each task in the 
system. Because such an address space is local 
to the task for which it is defined, it is referred 
to as a local address space. In general, code 
and data segments within a task’s local 
address space are private to that particular 
task or user. Figure 6-2 illustrates the task 
isolation made possible by partitioning the 
virtual address spaces into local and global 
regions. 


LOCAL ADDRESS 
SPACE 


TASK 3 VIRTUAL ADDRESS es 


TASK 3 
LOCAL ADDRESS 
SPACE 


ra TASK 1 VIRTUAL ADDRESS SPACE 


TASK 2 VIRTUAL ADDRESS SPACE | 


TASK 2 
LOCAL ADDRESS 
SPACE 


Figure 6-2. Address Spaces and Task Isolation 
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Within each of the two regions addressable 
by a program—either the global address space 
or a particular local address space—as many 
as 8,192 (2!3) distinct segments:may be 
defined. The INDEX field of the segment 
selector allows for a unique specification of 
each of these segments. This 13-bit quantity 
acts as an index into a memory-resident table, 
called a descriptor table, that records the 
mapping between segment address and the 
physical locations allocated to each distinct 
segment. (These descriptor tables, and their 
role in virtual-to-physical address translation, 
are described in the sections that follow. ) 


In summary, a Protected Mode virtual 
address is a 32-bit pointer to a particular byte 
location within a one-gigabyte virtual address 
space. Each such pointer consists of a 16-bit 
selector component and a 16-bit offset 
component. The selector component, in turn, 
comprises a 13-bit table index, a 1-bit table 
indicator (local versus global), and a 2-bit 
RPL field; all but this last field serve to select 
a particular segment from among the 16K 
segments in a task’s virtual address space. The 
offset component of a full pointer is an 
unsigned 16-bit integer that specifies the 
desired byte location within the selected 
segment. 


6.3 DESCRIPTOR TABLES 


A descriptor table is a memory-resident table 
either defined by program development tools 
in a static system or controlled by operating 
system software in systems that are repro- 
grammable. The descriptor table contents 
govern the interpretation of virtual addresses. 
Whenever the iAPX 286 decodes a virtual 


address, translating a full 32-bit pointer into — 


a corresponding 24-bit physical address, it 
implicitly references one of these tables. 


Within a Protected Mode system, there are 
ordinarily several descriptor tables resident in 
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memory. One of these is the global descriptor 
table (GDT); this table provides a complete 
description of the global address space. In 
addition, there may be one or more local 
descriptor tables (LDTs), each describing the 
local address space of one or more tasks. 


For each task in the system, a pair of descrip- 
tor tables—consisting of the GDT (shared by 
all tasks) and a particular LDT (private to 
the task or to a group of closely related 
tasks)—-provides a complete description of 
that task’s virtual address space. The protec- 
tion mechanism described in Chapter 7, 
“Protection,” ensures that a task is granted 
access only to its own virtual address space. 
In the simplest of system configurations, tasks 
can reside entirely within the GDT without 
the use of local descriptor tables. This will 
simplify system software by only requiring 
maintenance of one table (the GDT) at the 
expense of no isolation between tasks. The 
point is: the iAPX 286 memory management 
scheme is flexible enough to accommodate a 
variety of implementations and does not 
require use of all possible facilities when 
implementing a system. 


The descriptor tables consist of a sequence of 
8-byte entries called descriptors. A descriptor 
table may contain from | to 8192 entries. 


Within a descriptor table, two main classes of 
descriptors are recognized by the iAPX 286 
architecture. The most important of these, 
from the standpoint of memory management, 
are called segment descriptors; these deter- 
mine the set of segments that are included 
within a given address space. The other class 
are special-purpose control descriptors—such 
as call gates and task descriptors—to imple- 
ment protection (described in succeeding 


_ chapters) and special system data segments. 
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Figure 6-3 shows the format of a segment 
descriptor. Note that it provides information 
about the physical-memory base address and 
size of a segment, as well as certain access 
information. If a particular segment is to be 
included within a virtual address space, then 
a segment descriptor that describes that 
segment must be included within the appro- 
priate descriptor table. Thus, within the GDT, 
there are segment descriptors for all of the 
segments that comprise a system’s global 
address space. Similarly, within a task’s LDT, 
there must be a descriptor for each of the 
segments that are to be included in that task’s 
local address space. 


Each local descriptor table is itself a special 
system segment, recognizable as such by the 
iAPX 286 architecture and described by a 
specific type of segment descriptor (see figure 
6-4). Because there is only a single GDT 
segment, it is not defined by a segment 
descriptor. Its base and size information 1s 
maintained in a dedicated register, GDTR, as 
described below (section 6.6.2). 


Similarly, there is another dedicated register 
within the iAPX 286, LDTR, that records the 
base and size of the current LDT segment 
(i.e., the LDT associated with the currently 
executing task). The LDTR register state, 
however, is volatile: its contents are automat- 
ically altered whenever a task switch is made 
from one task to another. An alternate speci- 
fication independent of changeable register 
contents must therefore exist for each LDT 
in the system. This independent specification 
is accomplished by means of special system 
segment descriptors known as descriptor table 
descriptors or LDT descriptors. | 


Figure 6-4 shows the format of a descriptor 
table descriptor. (Note that it is distinguished 
from an ordinary segment descriptor by the 
contents of certain bits in the access byte.) 


This special type of descriptor is used to 
specify the physical base address and size of 
a local descriptor table that defines the virtual 
address space and address mapping for an 
individual user or task (figure 6-5). 
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ACCESS RIGHTS BYTES: 

P = PRESENT 

DPL == DESCRIPTOR PRIVILEGE LEVEL 

Ss = SEGMENT DESCRIPTOR 

TYPE = SEGMENT TYPE AND ACCESS INFORMATION 
(see Figure 6-7) 

A == ACCESSED 

*MUST BE SET TOO FOR 

COMPATIBILITY WITH iAPX 386 


Figure 6-3. Segment Descriptor (S= 1) 
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Pp = PRESENT 
DPL = DESCRIPTOR PRIVILEGE LEVEL 
S = SEGMENT DESCRIPTOR 
TYPE =: TYPE OF SPECIAL DESCRIPTOR 

(includes control and system segments) 
INVALID DESCRIPTOR 
AVAILABLE TASK STATE SEGMENT 
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Figure 6-4. Special Purpose Descriptors or 
System Segment Descriptors 
(S=0) 
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Figure 6-5. LDT Descriptor 


Each LDT segment in a system must lie 
within that system’s global address space. 
Thus, all of the descriptor table descriptors 
must be included among the entries in the 


global descriptor table (the GDT) of a system. 


In fact, these special descriptors may appear 
only in the GDT. Reference to an LDT 
descriptor within an LDT will cause a protec- 
tion violation. Even though they are in the 
global address space available to all tasks, the 
descriptor table descriptors are protected from 
corruption within the GDT since they are 
special system segments and can only be 
accessed for loading into the LDTR register. 
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6.4 VIRTUAL-TO-PHYSICAL ADDRESS 
TRANSLATION 


The translation of a full 32-bit virtual address 
pointer into a real 24-bit physical address is 
shown by figure 6-6. When the segment’s base 
address is determined as a result of the 


- mapping process, the offset value is added to 


the result to obtain the physical address. 


The actual mapping is performed on the 
selector component of the virtual address. The 
16-bit segment selector is mapped to a 24-bit 
segment base address via a segment descrip- 
tor maintained in one of the descriptor tables. 
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Figure 6-6. Virtual-to-Physical Address Translation 


The TI bit in the segment selector (see figure 
6-1) determines which of two descriptor 
tables, either the GDT or the current LDT, 
is to be chosen for memory mapping. In either 
case, using the GDTR or LDTR register, the 
processor can readily determine the physical 
base address of the memory-resident table. 


The INDEX field in the segment selector 
specifies a particular descriptor entry within 


the chosen table. The processor simply multi-. 


plies this index value by 8 (the length of a 
descriptor), and adds the result to the base 
address of the descriptor table in order to 
access the appropriate segment descriptor in 
the table. 


Finally, the segment descriptor contains the 
physical base address of the target segment, 
as well as size (limit) and access information. 
The processor sums the 24-bit segment base 
and the specified 16-bit offset to generate the 
resulting 24-bit physical address. 
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6.5 SEGMENTS AND SEGMENT 
DESCRIPTORS 


Segments are the basic units of i1APX 286 
memory management. In contrast to schemes 
based on fixed-size pages, segmentation allows 
for a very efficient implementation of 
software: variable-length segments can be 
tailored to the exact requirements of an 
application. Segmentation, moreover, is 
consistent with the way a programmer 
naturally deals with his virtual address space: 
programmers are encouraged to divide code 
and data into clearly defined modules and 
structures which are manipulated as con- 
sistent entities. This reduces (minimizes) the 
potential for virtual memory thrashing. 
Segmentation also eliminates the restrictions 
on data structures that span a page (e.g., a 
word that crosses page boundaries). 


Each segment within an 1APX 286 system is 
defined by an associated segment descriptor, 
which may appear in one or more descriptor 
tables. Its inclusion within a descriptor table 
represents the presence of its associated 
segment within the virtual address space 
defined by that table. Conversely, its ommis- 
sion from a descriptor table means that the 
segment is absent from the corresponding 
address space. | 


As shown previously in figure 6-3, an 8-byte 
segment descriptor encodes the following 
information about a particular segment: 


@ Size. This 16-bit field, comprising bytes 
0 and 1| of a segment descriptor, specifies 
an unsigned integer as the size, in bytes 
(from 1 byte to 64K bytes), of the 
segment. 


Unlike segments in the 8086 (or the 
iAPX 286 in Real Address Mode)— 
which are never explicitly limited to less 
than a full 64K bytes—Protected Mode 
segments are always assigned a specific 
size value. In conjunction with the 
protection features described in Chapter 
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7, this assigned size allows the enforce- 
ment of a very desirable and natural rule: 
inadvertent accesses to locations beyond 
a segment’s actual boundaries are 
prohibited. 


@ Base. This 24-bit field, comprising bytes 
2 through 4 of a segment descriptor, 
specifies the physical base address of the 
segment; it thus defines the actual 
location of the segment within the 16- 
megabyte real memory space. The base 

- may be any byte address within the 16- 
megabyte real memory space. 


@ ‘Access. This 8-bit field comprises byte 5 
of a segment descriptor. This access byte 
specifies a variety of additional informa- 
tion about a segment, particularly in 
regard to the protection features of the 
iAPX 286. For example, code segments 
are distinguished from data segments; and 
certain special access restrictions (such as 
Execute-Only or Read-Only) may be 
defined for segments of each type. Access 
byte values of 00H or 80H will always 
denote “invalid.” 


Figure 6-7 shows the access byte format for 
both code and data segment descriptors. 
Detailed discussion of the protection related 
fields within an access byte (Conforming, 
Execute-Only, Descriptor Privilege Level, 
Expand Down, and Write-Permitted), and 
their use in implementing protection policies, 
is deferred to Chapter 7. The two fields 
Accessed and Present are used for virtual 
memory implementations. © 


6.6 MEMORY MANAGEMENT REGISTERS 


The Protected Virtual Address Mode features 
of the iAPX 286 operate at high performance 
due to extensions to the basic iAPX 86 regis- 
ter set. Figure 6-8 illustrates that portion of 
the extended register structure that pertains 
to memory management. (For a complete 
summary of all Protected Mode registers, 
refer to section 10.1). 
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CODE SEGMENT TYPE 


ACCESSED(1= yes) 

READABLE (1= yes) 
CONFORMING (1= yes) 
EXECUTABLE (1=yes for code) 
(indicates segment descriptor) 
DESCRIPTOR PRIVILEGE LEVEL 
PRESENT (1= yes) 


DATA OR 
STACK SEGMENT 
MSB PEE LSB 


A ACCESSED (1=yes) 


WRITEABLE (1= yes) 


EXPAND DOWN (1 = down) 
EXECUTABLE (O=no for data) 
(indicates segment descriptor) 

— DESCRIPTOR PRIVILEGE LEVEL 
PRESENT (1= yes) 


Figure 6-7. Segment Descriptor Access Bytes 
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Figure 6-8. Memory Management Registers 


6.6.1 Segment Address Translation 
Registers 


Figure 6-8 shows the segment registers 
CS,DS,ES, and SS. In contrast to their usual 
representation, however, these registers are 
now depicted as 64-bit registers, each with 
“visible” and “hidden” components. 


The visible portions of these segment address 
translation registers are manipulated by 
programs exactly as if they were simply the 
16-bit segment registers of Real Address 
Mode. By loading a segment selector into one 
of these registers, the program makes the 
associated segment one of its four currently 
addressable segments. 
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The operations that load these registers—or, 
more exactly, those that load the visible 
portion of these registers—are normal 
program instructions. These instructions may 
be divided into two categories: 


1. Direct segment-register load instruc- 
tions. These instructions (such as LDS, 
LES, MOV, POP, etc.) can explicitly 
reference the SS, DS, or ES segment 
registers as the destination operand. : 


2. Implied segment-register load instruc- 
tions. These instructions (such as inter- 
segment CALL and JMP) implicitly 
reference the CS code segment register; 
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as a result of these operations, the 
contents of CS are altered. 


Using these instructions, a program loads the 
visible part of the segment register with a 
16-bit selector (i.e., the high-order word of a 
virtual address pointer). Whenever this is 
done, the processor automatically uses the 
selector to reference the appropriate descrip- 


tor and loads the 48-bit hidden descriptor — 


cache for that segment register. 


The correspondence between selectors and 


descriptors has already been described. 
Remember that the selector’s TI bit indicates 
one of the two descriptor tables, either the 
LDT or the GDT. Within the indicated table, 
a particular entry is chosen by the selector’s 


APPLICATION 
VISIBLE 


Ft te 


SEGMENT SEGMENT 


REGISTER DESCRIPTOR 


TRANSPARENT 
DESCRIPTOR 
LOADING 


DESCRIPTOR — 
CACHE 


13-bit INDEX field. This index, scaled by a 
factor of 8, represents the relative displace- 
ment of the chosen table entry (a descriptor). 


Thus, so long as a particular selector value is 
valid (i.e., it points to a valid segment 
descriptor within the bounds of the descriptor 
table), it can be readily associated with an 


-8-byte descriptor. When a selector value is 
loaded into the visible part of a segment 
register, the iAPX 286 automatically loads 6 


bytes of the associated descriptor into the 


hidden part of the register. These 6 bytes, 


therefore, contain the size, base, and access 
type of the selected segment. Figure 6-9 illus- 
trates this transparent process’ of 


descriptor loading. 


SYSTEM — 
, MEMORY 


DESCRIPTOR 
TABLE 


Figure 6-9. Descriptor Loading 
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In effect, the hidden descriptor fields of the 
segment registers function as the memory 
management cache of the iAPX 286. All the 
information required to address the current 
working set of segments—that is, the base 
address, size, and access rights of the 
currently addressable segments—is stored in 
this memory cache. Unlike the probabilistic 
caches of other architectures, however, the 
iAPX 286 cache is completely deterministic: 
the caching of descriptors is explicitly 
controlled by the program. 


Most memory references do not require the 
translation of a full 32-bit virtual address, or 
long pointer. Operands that are located within 
one of the currently addressable segments, as 
determined by the four segment registers, can 
be referenced very efficiently by means of a 
short pointer, which is simply a 16-bit offset. 


In fact, most iAPX 286 instructions reference 
memory locations in precisely this way, speci- 
fying only a 16-bit offset with respect to one 
of the currently addressable segments. The 
choice of segments (CS, DS, ES, or SS) is 
either implicit within the instruction itself, or 
explicitly specified by means of a segment- 
override prefix (as described in Chapter 2). 


Thus, in most cases, virtual-to-physical 
address translation is actually performed in 
two separate steps. First, when a program 
loads a new value into a segment register, the 
processor immediately performs a mapping 
operation; the physical base address of the 
selected segment (as well as certain additional 
information) is automatically loaded into the 
hidden portion of the register. The internal 
cache registers (virtual address translation 
hardware) are therefore dynamically shared 
among the 16K different segments poten- 
tially addressable within the user’s virtual 
address space. No software overhead (either 
system or application) is required to perform 
this operation. 


6-11 


Subsequently, as the program utilizes a short 
pointer to reference a location within a 
segment, the processor generates a 24-bit 
physical address simply by adding the speci- 
fied offset value to the previously cached 
segment base address. By encouraging the use 
of short pointers in this way, rather than 
requiring a full 32-bit virtual address for every 
memory reference, the iAPX 286 provides a 
very efficient on-chip mechanism for address 
translation, with minimum overhead for 
references to memory-based tables or the need 
for external address-translation devices. 


6.6.2 System Address Registers 


The Global Descriptor Table Register 
(GDTR) is a dedicated 40-bit (5 byte) regis- 
ter used to record the base and size of a 
system’s global descriptor table (GDT). Thus, 
two of these bytes define the size of the GDT, 
and three bytes define its base address. 


In figure 6-8, the contents of the GDTR are 
referred to as a “hidden descriptor.” The term 
“descriptor” here emphasizes the analogy with 
the segment descriptors ordinarily found in 
descriptor tables. Just as these descriptors 
specify the base and size (limit) of ordinary 
segments, the GDTR register specifies these 
same parameters for that segment of memory 
serving as the system GDT. The limit prevents 
accesses to descriptors in the GDT from 
accessing beyond the end of the GDT and thus 
provides address space isolation at the system 
level as well as at the task level. 


The register contents are “hidden” only in the 
sense that they are not accessible by means 
of ordinary instructions. Instead, the 
dedicated protected instructions LGDT and 
SGDT are reserved for loading and storing, 
respectively, the contents of the GDTR at 
Protected Mode initialization (refer to section 
10.2 for details). Subsequent alteration of the 
GDT base and size values is not recom- 
mended but is a system option at the most 
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privileged level of software (see section 7.3 for 
a discussion of privilege levels). 


The Local Descriptor Table Register (LDTR) 
is a dedicated 40-bit register that contains, at 
any given moment, the base and size of the 
local descriptor table (LDT) associated with 
the currently executing task. Unlike GDTR, 
the LDTR register contains both a “‘visible”’ 
and a “hidden” component. Only the visible 
component is accessible, while the hidden 
component remains truly inaccessible even to 
dedicated instructions. 


The visible component of the LDTR is a 
16-bit “selector” field. The format of these 
16 bits corresponds exactly to that of a 
segment selector in a virtual address pointer. 
Thus, it contains a 13-bit INDEX field, a 1- 
bit TI field, and a 2-bit RPL field. The TI 
“table indicator” bit must be zero, indicating 
a reference to the GDT (i.e., to global address 
space). The INDEX field consequently 
provides an index to a particular entry within 
the GDT. This entry, in turn, must be an LDT 
descriptor (or descriptor table descriptor), as 
defined in the previous section. In this way, 
the visible “selector” field of the LDTR, by 
selecting an LDT descriptor, uniquely desig- 
nates a particular LDT in the system. 


The dedicated, protected instructions LLDT 
and SLDT are reserved for loading and 
storing, respectively, the visible selector 
component of the LDTR register (refer to 
section 10.2 for details). Whenever a new 
value is loaded into the visible ‘‘selector’’ 
portion of LDTR, an LDT descriptor will 
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have been uniquely chosen (assuming, of 
course, that the “‘selector” value is valid). In 
this case, the iAPX 286 automatically loads 
the hidden “descriptor” portion of LDTR with 
five bytes from the chosen LDT descriptor. 
Thus, size and base information about a 
particular LDT, as recorded in a memory- 
resident global descriptor table entry iS 
cached in the LDTR register. 


New values may be loaded into the visible 
portion of the LDTR (and, thus, into the 
hidden portion as well) in either of two ways. 
The LLDT instruction, during system initial- 
ization, is used explicitly to set an initial value 
for the LDTR register; in this way, a local 
address space is provided for the first task in 
a multitasking environment. After system 
startup, explicit changes are not required since 
operations that automatically invoke a task 
switch (described in section 8.4) appropri- 
ately manage the LDTR. | 


At all times, the LDTR register thus records 
the physical base address (and size) of the 
current task’s LDT; the descriptor table 
required for mapping the current local address 
space, therefore, is immediately accessible to 
the processor. Moreover, since GDTR always 
maintains the base address of the GDT, the 
table that maps the global address space is 
similarly accessible. The two system address 
registers, GDTR and LDTR, act as a special 
processor cache, maintaining current infor- 
mation about the two descriptor tables 
required, at any given time, for addressing the 
entire current virtual address space. 
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CHAPTER 7 
PROTECTION 


7.1 INTRODUCTION 


In most microprocessor based products, the 
product’s availability, quality, and reliability 
are determined by the software it contains. 
Software is often the key to a product’s 
success. Protection is a tool used to shorten 
software development time, and improve 
software quality and reliability. 


Program testing is an important step in 
developing software. A system with protec- 
tion will detect software errors more quickly 
and accurately than a system without protec- 
tion. Eliminating errors via protection reduces 
the development time for a product. 


Testing software is difficult. Many errors 
occur only under complex circumstances 
which are difficult to anticipate. The result is 
that products are shipped with undetected 
errors. When such errors occur, products 
appear unreliable. The impact of a software 
error is multiplied if it introduces errors in 
other bug-free programs. Thus, the total 
system reliability reduces to that of the least 
reliable program running at any given time. 


Protection improves the reliability of an entire 
system by preventing software errors in one 
program from affecting other programs. 
Protection can keep the system running even 
when some user program attempts an invalid 
or prohibited operation. 


Hardware protection performs run-time 
checks in parallel with the execution of the 
program. But, hardware protection has tradi- 
tionally resulted in a design that is more 
expensive and slower than a system without 
protection. However, the iAPX 286 provides 
hardware-enforced protection without the 
performance or cost penalties normally 
associated with protection. 
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The protected mode iAPX 286 implements 
extensive protection by integrating these 
functions on-chip. The iAPX 286 protection 
is more comprehensive and flexible than 
comparable solutions. It can locate and isolate 
a large number of program errors and prevent 
the propagation of such errors to other tasks 
or programs. The protection of the total 
system detects and isolates bugs both during 
development and installed usage. Chapter 9 
discusses exceptions in more detail. 


The remaining sections of this chapter explain 
the protection model implemented in the 
iAPX 286. 


7.1.1 Types of Protection 


Protection in the iAPX 286 has three basic 
aspects: : | 


1. Isolation of system software from user 
applications. 


2. Isolation of users from each other (Inter- 
task protection). 


3. Data-type checking. 


The iAPX 286 provides a four-level, ringed- 
type, increasingly-privileged protection 
mechanism to isolate applications software 
from various layers of system software. This 
is a major improvement and extension over 
the simpler two-level user/supervisor mecha- 
nism found in many systems. Software 
modules in a supervisor level are protected 
from modules in the application level and 
from software in less privileged supervisor 
levels. | | 


Restricting the addressability of a software 
module enables an operating system to control 
system resources and priorities. This is 
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supports multiple concurrent users. Multi- 
user, multi-tasking, and distributed process- 
ing systems require this complete control of 
system resources for efficient, reliable 
operation. 


The second aspect of protection is isolating 
users from each other. Without such isolation 
an error in one user program could affect the 
operation of another error-free user program. 
Such subtle interactions are difficult to 
diagnose and repair. The reliability of appli- 
cations programs is greatly enhanced by such 
isolation of users. 


Within a system or application level program, 
the iAPX 286 will ensure that all code and 
data segments are properly used (e.g., data 
cannot be executed, programs cannot be 
modified, and offset must be within defined 
limits, etc.). Such checks are performed on 
every memory access to provide full run- -time 
error checking. 


7.1.2 Protection Implementation | 


The protection hardware of the iAPX 286 
establishes constraints on memory and 
instruction usage. The number of possible 
interactions between instructions, memory, 
and I/O devices is practically unlimited. Out 
of this very large field the protection mecha- 
nism limits interactions to a controlled, 
understandable subset. Within this subset fall 
the list of “correct” operations. Any opera- 
tion that does not fall into this subset is not 
allowed by the protection mechanism and is 
signalled as a protection violation. 


To understand protection on the iAPX 286, 
you must begin with its basic parts: segments 
and tasks. iAPX 286 segments are the small- 
est region of memory which have unique 
protection attributes. Modular programming 
automatically produces separate regions of 


memory (segments) whose contents are 
treated as a whole. Segments reflect the 
natural construction of a program, e.g., code 
for module A, data for module A, stack for 
the task, etc. All parts of the segment are 
treated in the same way by the iAPX 286. 
Logically separate regions of memory should 
be in separate segments. 


The memory segmentation model (see figure 
7-1) of the iAPX 286 was designed to 
optimally execute code for software composed 
of independent modules. Modular programs 
are easier to construct and maintain. 
Compared to monolithic software systems, 
modular software systems have enhanced 
capabilities, and are typically easier to develop 
and test for proper operation. 


Each segment in the system is defined by a 
memory-resident descriptor. The protection 
hardware prevents accesses outside the data 
areas and attempts to modify instructions, 
etc., as defined by the descriptors. Segmen- 
tation on the 1APX 286 allows protection 
hardware to be integrated into the CPU for 
full data access control without oy perform- 
ance impact. 


The segmented memory architecture of the 
iAPX 286 provides unique capabilities for 
regulating the transfer of control between 
programs. | 


Programs are given direct but controlled 
access to other procedures and modules. This 
capability is the heart of isolating application 
and system programs. Since this access is 
provided and controlled directly by the iAPX 
286 hardware, there is no performance 
penalty. A system designer can take advan- 
tage of the iAPX 286 access control to design. 
high-performance modular systems with a 
high degree of confidence in the eeu of 
the system. 
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MODULE A 


MODULE B 


‘BLOCK 1 


TASK 
DATA 
BLOCK 2 


MEMORY 


Figure 7-1. Addressing Segments of a Module Within a Task 


Access control between programs and the 
operating system is implemented via address 
space separation and a privilege mechanism. 
The address space control separates applica- 
tions programs from each other while the 
privilege mechanism isolates system software 
from applications software. The privilege 
mechanism grants different capabilities to 
programs to access code, data, and I/O 
resources based on the associated protection 
level. Trusted software that controls the whole 
system is typically placed at the most privi- 
leged level. Ordinary application software 
does not have to deal with these control 


mechanisms. They come into play only when 
there is a transfer of control between tasks, 
or if the Operating System routines have to 
be invoked. | 


The protection features of multiple privilege 
levels extend to ensuring reliable I/O control. 
However, for a system designer to enable only 
one specific level to do I/O would excessively 
constrain subsequent extensions or applica- 
tion development. Instead, the iAPX 286 
permits each task to be assigned a separate 
minimum level where I/O is allowed. I/O 
privilege is discussed in section 10.3. 
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An important distinction exists between tasks 
and programs. Programs (e.g., instructions in 
code segments) are static and consist of a 
fixed set of code and data segments each with 
an associated privilege level. The privilege 
assigned to a program determines what the 
program may do when executed by a task. 
Privilege is assigned to a program when the 
system is built or when the program is loaded. 


Tasks are dynamic; they execute one or more 
programs. Task privilege changes with time 
according to the privilege level of the program 
being executed. Each task has a unique set of 
attributes that define it, e.g., address space, 
register values, stack, data, etc. A task may 
execute a program if that program appears in 
the task’s address space. The rules of protec- 
tion control determine when a program may 
be executed by a task, and once executed, 
determine what the program may do. 


7.2 MEMORY MANAGEMENT AND 
PROTECTION 

The protection hardware of the iAPX 286 is 

related to the memory management hardware. 


PROGRAM VISIBLE 


ACCESS 
RIGHTS 


’ SEGMENT SELECTORS 


SEGMENT REGISTERS 
(loaded by program) 


SEGMENT BASE ADDRESS 


Since protection attributes are assigned to 
segments, they are stored along with the 
memory management information in the 
segment descriptor. The protection informa- 


tion is specified when the segment is created. 


In addition to privilege levels, the descriptor 
defines the segment type (e.g., Code segment, 
Data segment, etc.). Descriptors may be 
created either by program development tools. 
or by a loader in a dynamically loaded repro- . 


grammable environment. 


The protection control information consists of 
a segment type, its privilege level, and size. 
These are fields in the access byte of the 
segment descriptor (see figure 7-2). This 
information is saved on-chip in the program-— 
mer invisible section of the segment register 
for fast access during execution. These entries | 
are changed only when a segment register is 
loaded. The protection data is used at two 
times: upon loading a segment register and 
upon each reference to the selected segment. 


The hardware performs several checks while 
loading a segment register. These checks 


PROGRAM INVISIBLE 


SEGMENT SIZE 


16 15 


SEGMENT DESCRIPTOR CACHE REGISTERS 


(loaded by CPU) 


‘Figure 7-2. Descriptor Cache Registers 
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enforce the protection rules before any 
memory reference is generated. The hardware 
verifies that the selected segment is valid (is 
identified by a descriptor, is in memory, and 
is accessible from the privilege level in which 
the program is executing) and that the type 
is consistent with the target segment register. 
For example, you cannot load a read-only 
segment descriptor into SS because the stack 
must always be writable. 


Each reference into the segment defined by a 
segment register is checked by the hardware 
to verify that it is within the defined limits of 
the segment and is of the proper type. For 
example, a code segment or read-only data 
segment cannot be written. All these checks 


are made before the memory cycle is started; 


any violation will prevent that cycle from 
starting and cause an exception to occur. 
Since the checks are performed concurrently 
with address formation, there is no perform- 
ance penalty. 


By controlling the access rights and privilege 
attributes of segments, the system designer 
can assure a program will not change its code 
or overwrite data belonging to another task. 
Such assurances are vital to maintaining 
system integrity in the face of error-prone 
programs. 


7.2.1 Separation of Address Spaces 


As described in Chapter 6, each task can 
address up to a gigabyte (2'*—2 segments of 
up to 65536 bytes each) of virtual memory 
defined by the task’s LDT (Local Descriptor 
Table) and the system GDT. Up to one-half 
gigabyte (2'3 segments of up to 65536 bytes 
each) of the task’s address space is defined by 
the LDT and represents the task’s private 
address space. The remaining virtual address 
space is defined by the GDT and 1s common 
to all tasks in the system. 
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Each descriptor table is itself a special kind 
of segment recognized by the iAPX 286 
architecture. These tables are defined by 
descriptors in the GDT (Global Descriptor 
Table). The CPU has a set of base and limit 
registers that point to the GDT and the LDT 
of the currently running task. The local 
descriptor table register is loaded by a task 
switch operation. 


An active task can only load selectors that 
reference segments defined by descriptors in 
either the GDT or its private LDT. Since a 
task cannot reference descriptors in other 
LDTs, and no descriptors in its LDT refer to 
data or code belonging to other tasks, it 
cannot gain access to another tasks’ private 
code and data (see figure 7-3). 


Since the GDT contains information that is 
accessible by all users (e.g., library routines, 
common data, Operating System services, 
etc.), the iAPX 286 uses privilege levels and 
special descriptor types to control access (see 
section 7.2.2). Privilege levels protect more 
trusted data and code (in GDT and LDT) 
from less trusted access (WITHIN a task), 
while the private virtual address spaces 
defined by unique LDTs provide protection 
BETWEEN tasks (see figure 7-4). 


7.2.2 LDT and GDT Access Checks 


All descriptor tables have a limit used by the 
protection hardware to ensure address space 
separation of tasks. Each task’s LDT can be 
a different size as defined by its descriptor in 
the GDT. The GDT may also contain less 
than 8191 descriptors as defined by the GDT 
limit value. The descriptor table limit identi- 
fies the last valid byte of the last descriptor 
in that table. Since each descriptor is eight 
bytes long, the limit value is NX8—1 for N 
descriptors. 


PROTECTION 


Any attempt by a program to load a segment 
register, local descriptor table register 
(LDTR), or task register (TR) with a selec- 
tor that refers to a descriptor outside the 
corresponding limit causes an exception with 
an error code identifying the invalid selector 
used (see figure 7-5). 


Not all descriptor entries in the GDT or LDT 
need contain a valid descriptor. There can be 


65535 
OFFSET 


TASK A PRIVATE ADDRESS SPACE 


65535 


OFFSET 


TASK C PRIVATE ADDRESS SPACE 


holes, or “empty” descriptors, in the‘ LDT and 
GDT. “Empty” descriptors allow dynamic 
allocation and deletion of segments or other 
system objects without changing the size of 
the GDT or LDT. Any descriptor with an 
access byte equal to zero is considered empty. 
Any attempt to load a segment register with 
a selector that refers to an empty descriptor 
will cause an exception with an error code 
identifying the invalid selection. 


SHARED ADDRESS SPACE 


TASK B ADDRESS SPACE 


Figure 7-3. iAPX 286 Virtual Address Space 
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Figure 7-4. Local and Global Descriptor Table Definition 


means that an event external to 
the program caused the exception 
(i.e., external interrupt, single step, 
processor extension error) 

means that an exception occurred 
while processing the instruction at 
CS:IP saved on stack. 


1 means use IDT and ignore bit 2. 

O means bit 2 indicates table usage 
‘ , 
0 


means use LDT 
means use GDT 


Entry in IDT, GDT, or LDT 


Figure 7-5. Error Code Format (on the Stack) 


7-7 


PROTECTION 


7.2.3 Type Validation 


After checking that a selector reference is 
within the bounds of a descriptor table and 
refers to a non-empty descriptor, the type of 
segment defined by the descriptor is checked 
against the destination register. Since each 
segment register has predefined functions, 
each must refer to certain types of segments 
(see section 7.4.1). An attempt to load a 
segment register in violation of the protection 
rules causes an exception. 


The ‘‘null’’ selector is a special type of 
segment selector. It has an index field of all 
zeros and a table indicator of 0. The null 
selector appears to refer to GDT descriptor 
entry #40 (see GDT in figure 7-3). This selec- 
tor value may be used as a place holder in the 
DS or ES segment registers; it may be loaded 


into them without causing an exception. — 


However, any attempt to use the null segment 
registers to reference memory will cause an 
exception and prevent any memory cycle from 
occurring. 


7.3 PRIVILEGE LEVELS AND PROTECTION 


As explained in section 6.2, each task has its 
own separate virtual address space defined by 
its LDT. All tasks share a common address 
space defined by the GDT. The system 
software then has direct access to task data 
and can treat all pointers in the same way. 


Protection is required to prevent programs 
from improperly using code or data that 
belongs to the operating system. The four 
privilege levels of the iAPX 286 provide the 
isolation needed between the various layers of 
the system. The iAPX 286 privilege levels are 
numbered from 0 to 3, where 0 is the most 
trusted level, 3 the least. _ 


Privilege level is a protection attribute 
assigned to all segments. It determines which 
procedures can access the segment. Like 
access rights and limit checks, privilege checks 
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are automatically performed by the hardware, 
and thus protects both data and code 
segments. 


Privilege on the iAPX 286 is hierarchical. 
Operating system code and data segments 
placed at the most privileged level (0) cannot 
be accessed directly by programs at other 
privilege levels. Programs at privilege level 0. 
may access data at all other levels. Programs 
at privilege levels 1-3 may only access data at 
the same or less trusted (numerically greater) 
privilege levels. Figure 7-6 illustrates the 
privilege level protection of code or data 
within tasks. 


In figure 7-6, programs can access data at the 
same or outer level, but not at inner levels. 
Code and data segments placed at level 1 


cannot be accessed by programs executing at 


levels 2 or 3. Programs at privilege level 0 can 
access data at level 1 in the course of provid- 
ing service to that level. iAPX 286 provides 
mechanisms for inter-level transfer of control 
when needed (see section 7.5). 


The four privilege levels of the iAPX 286 are 
an extension of the typical two-level user/ 
supervisor privilege mechanism. Like user 
mode, application programs in the outer level 
are not permitted direct access to data 
belonging to more privileged system services 
(supervisor mode). The iAPX 286 adds two 
more privilege levels to provide protection for 
different layers of system software (system 


_ services, I/O drivers, etc. ). 


7.3.1 Example of Using Four Privilege 
Levels 


Two extra privilege levels allow development 
of more reliable, and flexible system software. 
This is achieved by dividing the system into 
small, independent units. Figure 7-6 shows an 
example of the usage of different protection 
levels. Here, the most privileged level is called 
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TASK C 


APPLICATIONS 


Figure 7-6. Code and Data Segments Assigned to a Privilege Level 


the kernel. This software would provide basic, 
application-independent, CPU-oriented 
services to all tasks. Such services include 
memory management, task isolation, multi- 
tasking, inter-task communication, and I/O 
resource control. Since the kernel is only 
concerned with simple functions and cannot 
be affected by software at other privilege 
levels, it can be kept small, safe, and under- 
standable. 


Privilege level one is designated system 
services. This software provides high-level 
functions like file access scheduling, charac- 
ter I/O, data communcations, and resource 
allocation policy which are commonly 
expected in all systems. Such software 
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remains isolated from applications programs 
and relies on the services of the kernel, yet 
cannot affect the integrity of level 0. 


Privilege level 2 is the custom operating 
system extensions level. It allows standard 
system software to be customized. Such 
customizing can be kept isolated from errors 
in applications programs, yet cannot affect the 
basic integrity of the system software. 
Examples of customized software are the data 
base manager, logical file access services, etc. 


This is just one example of protection mecha- 
nism usage. Levels 1 and 2 may be used in 
many different ways. The usage (or non- 
usage) is up to the system designer. 
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Programs at each privilege level are isolated 
from programs at outer layers, yet cannot 
affect programs in inner layers. Programs 
written for each privilege level can be smaller, 
easier to develop, and easier to maintain than 
‘a monolithic system where all system software 
can affect all other system software. | 


7.3.2 Privilege Usage 

Privilege applies to tasks and three types of 
descriptors: . 

1. Main memory segments 


2. Gates (control descriptors for state or task 
| transitions, discussed in sections 7.5.1, 
7.5.3, 8.3, 8.4 and 9.2) 


3. Task state 
Chapter 8). 


segments (discussed in 


Task privilege is a dynamic value. It is derived 
from the code segment currently being 
executed. Task privilege can change only 


when a control transfers to a different code 


segment. 


Descriptor privilege, including code segment 
privilege, is assigned when the descriptor (and 
any associated segment) is created. The 
system designer assigns privilege directly 
when the system is constructed with the 
system builder (see the iAPX 286 Builder 
User’s Guide) or indirectly via a loader. 


Each task operates at only one privilege level 
at any given moment: namely that of the code 
segment being executed. (The conforming 
segments discussed in section 11.2 permit 
some flexibility in this regard.) However, as 
figure 7-6 indicates, the task may contain 
segments at one, two, three, or four levels, all 
of which are to be used at appropriate times. 
The privilege level of the task, then, changes 
under the carefully enforced rules for trans- 
fer of control from one code segment to 
another. | 


The descriptor privilege attribute is stored in 
the access byte of a descriptor and is called 
the Descriptor Privilege Level (DPL). Task 
privilege is called the Current Privilege Level 
(CPL). The least significant two bits of the 
CS register specify the CPL. 


- A few general rules of privilege can be stated 
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before the detailed discussions of later 
sections. Data access is restricted to those 


segments whose privilege level is the same or 


less privileged (numerically greater) than the 
current privilege level (CPL). Direct code 
access, e.g., via call or jump, is restricted to 
code segments of equal privilege. A gate 
(section 7.5.1) is required for access to code 
at more privileged levels. 


7.4 SEGMENT DESCRIPTOR 


Although the format of access control infor- 
mation, discussed below, is similar for both 
data and code segment descriptors, the rules 
for accessing data segments differ from those 
for transferring control to code segments. 
Data segments are meant to be accessible 
from many privilege levels, e.g., from other 
programs at the same level or from deep 
within the operating system. The main 
restriction is that they cannot be accessed by 
less privileged code. 


Code segments, on the other hand, are meant 
to be executed at a single privilege level. 
Transfers of control that cross privilege 
boundaries are tightly restricted, requiring the 
use of gates. Control transfers within a privi- 
lege level can also use gates, but they are not 
required. Control transfers are discussed in 
section 7.5. | 7 


Protection checks are automatically invoked 
at several points in selecting and using new 
segments. The process of addressing memory 
begins when the currently executing program 
attempts to load a selector into one of the 
segment registers. As discussed in Chapter 6, 
the selector has the form shown in figure 7-7. 
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When a new selector is loaded into a segment 
register, the processor accesses the associated 
descriptor to perform the necessary loading 
and privilege checks. 


The protection mechanism verifies that the 
selector points to a valid descriptor type for 


verifying the descriptor type, the CPU 
compares the privilege level of the task (CPL) 
to the privilege level in the descriptor (DPL) 
before loading the descriptor’s information 
into the cache. 


The general format of the eight bits in the 


segment descriptor’s aCCeSS rights byte is 


the segment register (see section 7.4.1). After shown in table 7-1. 


SELECTOR 


INDEX i; 


15 8 7 2 10 


FUNCTION 


REQUESTED 
PRIVILEGE 
LEVEL (RPL) 


INDICATES SELECTOR PRIVILEGE 
LEVEL DESIRED 


TABLE 
INDICATOR 
(TI) 


0 USE GLOBAL DESCRIPTOR TABLE 
(GDT) 


1 USE LOCAL DESCRIPTOR TABLE 
(LDT) 


ime INDEX SELECT DESCRIPTOR ENTRY IN TABLE 


Figure 7-7. Selector Fields 


Table 7-1. Segment Access Rights Byte Format 


a 


1 means Present and addressable in real memory; 0 means not 
present. See section 11.3. 


Present 


DPL 


Segment 


2-bit Descriptor Privilege Level, 0 to 3. 


1 means Segment descriptor; 0 means control descriptor. 
For Segment=1, the remaining bits have the following meanings: 


Executable 1 means code, 0 means data. 


C or ED If code, Conforming: 1 means yes, 0 no. 


If data, Expand Down: 1 yes, 0 no—normal case. 


If code, Readable: 1 means readable, 0 not. 
If data, Writable: 1 means writable, 0 not. 


R or W 


Accessed 1 if segment descriptor has been Accessed, 0 if not. 


NOTE: When the Segment bit (bit 4) is 0, the descriptor is for a gate, a task state segment, or a Local Descriptor 
Table, and the meanings of bits 0 through 3 change. Control transfers and descriptors are discussed in 
section 7.5. 
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For example, the access rights byte for a data 
and code segment present in real memory but 


not yet accessed (at the same privilege level) 


are shown in figure 7-8. 


Whenever a segment descriptor is loaded into 
a segment register, the accessed bit in the 
descriptor table is set to 1. This bit is useful 
for determining the usage profile of the 
segment. 

—_ NOTE 
_ The Intel reserved bytes in the segment 


descriptor must be set to 0 for a 
- bility with iAPX 386. 


7.4.1 Data Accesses 


Data may be accessed in data segments or 
readable code segments. When DS or ES is 
loaded with a new selector, e.g., by an LDS, 
LES, or MOV to ES, SS, or DS instruction, 


Readable Code Segment 


the bits in the access byte are checked to 
verify legitimate descriptor type and access 
(see table 7-2). If any test fails, an error code 
is pushed onto the stack identifying the selec- 
tor involved (see figure 7-5 for the error code 
format). 


A privilege check is made when the segment. 
register is loaded. In general, a data segment’s 
DPL must be numerically greater than or 


equal to the CPL. The DPL of a descriptor 


loaded into the SS must equal the CPL. 
Conforming code segments are an exception 
to privilege checking rules (see section 11.2)... 


Once the segment descriptor and selector are 
loaded, the offset of subsequent accesses. 
within the segment are checked against the 
limit given. in the segment descriptor. Violat- 
ing the segment size limit causes a General 
Protection exception with an error code of 0. 


Writable Data Segment 


Figure 7-8. Access Byte Example 


Table 7-2. Allowed Segment Types in Segment Registers 


Segment Register 


| Allowed Segment Types — 


Read Only Read-Write Execute Only Execute-Read 
Data Segment — Data Segment Code Segment ~ Code Segment 
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A normal data segment is addressed with 
offset values ranging from 0 to the size of the 
segment. When the ED bit of the access rights 
byte in the segment descriptor is 0, the 
allowed range of offsets is OOOOH to the limit. 
If limit is OFFFFH, the data segment contains 
65536 bytes. 


Since stacks normally occupy different offset 
ranges (lower limit to OFFFFH) than data 
segments, the limit field of a segment 
descriptor can be interpreted in two ways. The 
Expand Down (ED) bit in the access byte 
allows offsets for stack segments to be greater 
than the limit field. When ED is 1, the 
allowed range of offsets within the segment is 
limit+1 to OFFFFH. To allow a full stack 
segment, set ED to 1 and the limit to 
OFFFFH. The ED bit of a data segment 
descriptor does not have to be set for use in 
SS (i.e., it will not cause an exception). 
Section 7.5.4 discusses stack segment usage 
in greater detail. An expand down (ED=1) 
segment can also be loaded into ES or DS. 


Limit and access checks are performed before 
any memory reference is started. For stack 
push instructions (PUSH, PUSHA, ENTER, 
CALL, INT), a possible limit violation is 
identified before any internal registers are 
updated. Therefore, these instructions are 
fully restartable after a stack size violation. 


7.4.2 Code Segment Access 


Code segments are accessed via CS for 
execution. Segments that are execute-only can 
ONLY be executed; they cannot be accessed 
via DS or ES, nor read via CS with a CS 
override prefix. If a segment is executable (bit 
3=1 in the access byte), access via DS or ES 
is possible only if it is also readable. Thus, 
any code segment that also contains data must 
be readable. (Refer to Chapter 2 for a discus- 
sion of segment override prefixes. ) 


An execute-only segment preserves the 
privacy of the code against any attempt to 
read it; such an attempt causes a general 
protection fault with an error code of 0. A 
code segment cannot be loaded into SS and is 
never writable. Any attempted write will 
cause a general protection fault with an error 
code of 0. 


The limit field of a code segment descriptor 
identifies the last byte in the segmerft. Any 
offset greater than the limit value will cause 
a general protection fault. The prefetcher of 
the iAPX 286 can never cause a code segment 
limit violation with an error code of 0. The 
program must actually attempt to execute an 
instruction beyond the end of the code 
segment to cause an exception. 


If a readable non-conforming code segment is 
to be loaded into DS or ES, the privilege level 
requirements are the same as those stated for 
data segments in 7.4.1. | 


Code segments are subject to different privi- 
lege checks when executed. The normal privi- 
lege requirement for a jump or call to another 
code segment is that the current privilege level 
equal the descriptor privilege level of the new 
code segment. Jumps and calls within the 
current code segment automatically obey this 
rule. | 


Return instructions may pass control to code 
segments at the same or less (numerically 
greater) privileged level. Code segments at 
more privileged levels may only be reached 
via a call through a call gate as described in 
section 7.5. 


An exception to this, previously stated, is the 
conforming code segment that allows the DPL 
of the requested code segment to be numeri- 
cally less than (of greater privilege than) the 
CPL. Conforming code segments are 
discussed in section 11.2. 
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7.4.3 Data Access Restriction by 
Privilege Level 


This section describes privilege verification 
when accessing either data segments (loading 
segment selectors into DS, ES, or. SS) or 
readable code segments. Privilege verification 


when loading CS for transfer of control across 


privilege levels is described in the next section. 


Three basic kinds of privilege level indicators 
are used when determining accessibility to a 
segment for reading and writing. They are 
termed Current Privilege Level (CPL), 
Descriptor Privilege Level (DPL), and 
Requested Privilege Level (RPL). The CPL 
is simply the privilege level of the code 
segment that is executing (except if the 
current code segment is conforming). The 
CPL 1s stored as bits 0 and | of the CS and 
SS registers. Bits 0 and 1 of DS and ES are 
not related to.CPL.. 


DPL is the privilege level of the segment; it is 
stored in bits 5 and 6 of the access byte of a 
descriptor. For data access to data segments 


and non-conforming code segments, CPL. 


must be numerically less than or equal to DPL 
(the task must be of equal or greater privi- 
lege) for access to be granted. Violation of this 
rule during segment load instruction causes a 
general protection exception with an error 
code identifying the selector. 


While the enforcement of DPL protection 
rules provides the mechanism for the isola- 
tion of code and data at different privilege 
levels, it is conceivable that an erroneous 
pointer passed onto a more trusted program 
might result in the illegal modification of data 
with a higher privilege level. This possibility 
is prevented by the enforcement of effective 


privilege level protection rules and correct 


usage of the RPL value. 


The RPL geal privilege level) is used 
for pointer validation. It is the least signifi- 


cant two bits in the selector value loaded into 
any segment register. RPL is intended to 
indicate the privilege level of the originator of 
that selector. A selector may be passed down. 
through several procedures at different levels. 
The RPL reflects the privilege level of the 
original supplier of the selector, not the privi- 


— lege level of the intermediate supplier. The 


RPL must be numerically less than or equal 
to the DPL of the descriptor selected, thereby 
indicating greater or equal privilege of the 
supplier; otherwise, access is denied and a 
general protection violation occurs. 


Pointer validity testing is required in any 
system concerned with preventing program 
errors from destroying system integrity. The 
iAPX 286 provides hardware support for 
pointer validity testing. The RPL field 
indicates the privilege level of the originator 
of the pointer to the hardware. Access will be 
denied if the originator of the pointer did not 
have access to the selected segment even if 
the CPL is numerically less than or equal to 
the DPL. RPL can reduce the effective privi- 
lege of a task when using a particular selec- 
tor. RPL never allows access. to more 
privileged segments (CPL must always be 
numerically less than or equal to DPL). 


A fourth term is sometimes used: the Effec- 
tive Privilege Level (EPL). It is defined as the 
numeric maximum of the CPL and the 
RPL—meaning the one of lesser privilege. 
Access to a protected entity is granted only 
when the EPL is numerically less than or 
equal to the DPL of that entity. This is simply 
another way of saying that both CPL and 
RPL must be numerically less than or equal 
to DPL for access to be granted. 


7.4.4 Pointer Privilege Stamping via ARPL 
The ARPL instruction is provided in the 


iAPX 286 to fill the RPL field of.a selector 
with the minimum privilege (maximum 


PROTECTION 


numeric value) of the selector’s current RPL 
and the caller’s CPL (given in an instruction- 
specified register). A straight insertion of the 
caller’s CPL would stamp the pointer with the 
privilege level of the caller, but not necessar- 
ily the ultimate originator of the selector (e.g., 
Level 3 supplies a selector to a level 2 routine 
that calls a level 0 routine with the same 
selector). 


Figure 7-9 shows a program with an example 
of such a situation. The program at privilege 
level 3 calls a routine at level 2 via a gate. 
The routine at level 2 uses the ARPL instruc- 
tion to assure that the selector’s RPL is 3. 
When the level 2 routine calls a routine at 
level O and passes the selector, the ARPL 
instruction at level 0 leaves the RPL field 
unchanged. 


Stamping a pointer with the originator’s 
privilege eliminates the complex and time- 
consuming software typically associated with 
pointer validation in less comprehensive 
architectures. The iAPX 286 hardware 
performs the pointer test automatically while 
loading the selector. 


Privilege errors are trapped at the time the 
selector is loaded because pointers are 
commonly passed to other routines, and it 
may not be possible to identify a pointer’s 
originator. To verify the access capabilities of 


Level 3 PUSH SELECTOR 
CALL LEVEL_2 


Level_2: 
ENTER 4,0 
MOV AX, (€BP1+4 
ARPL (BP]+6, AX” 


PUSH WORD PTR (BP1+6 


CALL Level_0 


a pointer, it should be tested when the pointer 
is first received from an untrusted source. The 
VERR (Verify Read), VERW (Verify 
Write), and LAR (Load Access Rights) 
instructions are provided for this purpose. 


Although pointer validation is fully supported 
in the iAPX 286, its use is an option of the 
system designer. To accommodate systems 
that do not require it, RPL can be ignored by 
setting selector RPLs to zero (except stack 
segment selectors) and not adjusting them 
with the ARPL instruction. 


7.5 CONTROL TRANSFERS 


Three kinds of control transfers can occur 
within a task: 


1. Within a segment, causing no change of 
privilege level (a short jump, call, or 
return). | 


2. Between segments at the same privilege 
level (a Jong jump, call, or return). 


3. Between segments at different privilege 
levels (a Jong call, or return). (NOTE: A 
JUMP to a different privilege level is not 
allowed. ) 


The first two types of control transfers need 
no special controls (with respect to privilege 
protection) beyond those discussed in 
section 7.4. 


; RPL value doesn’t matter at level 3 


; GET CS of return address, RPL*3 
; Put 3 in RPL field 


; Pass selector 


ee ST SS SS SSS Us SSS SSS SSS Ss SSS SS 


Level_0: 
ENTER 6,0 


; Get CS of return address, RPL#=2 
*; Leaves RPL unchanged 


Level 0 MOV AX, (€BP)+4 
ARPL (BP1+6, AX 


Figure 7-9. Pointer Privilege Stamping 
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Inter-level transfers require special consider- 
ation to maintain system integrity. The 
protection hardware must check that: 


@ The task is currently allowed to access the 
destination address. 


@ The correct entry address is used. 


To achieve control transfers, a special 
descriptor type called a gate is provided to 
mediate the change in privilege level. Control 
transfer instructions call the gate rather than 
transfer directly to a code segment. From the 
viewpoint of the program, a control transfer 
to a gate is the same as to another code 
segment. : 


Gates allow programs to use other programs 
at more privileged levels in the same manner 
as a program at the same privilege level. 
Programmers need never distinguish between 
programs or subroutines that are more privi- 
leged than the current program and those that 
are not. The system designer may, however, 
elect to use gates only for control transfers 
that cross privilege levels. 


7.5.1 Gates 


A gate is a four-word control descriptor used 
to redirect a control transfer to a different 
code segment in the same or more privileged 
level or to a different task. There are four 
types of gates: call, trap, interrupt, and task 
gates. The access rights byte distinguishes a 
gate from a segment descriptor, and deter- 
mines which type of gate is involved. Figure 
7-10 shows the format of a gate descriptor. 


A key feature of a gate is the re-direction it 
provides. All four gate types define a new 
address which transfers control when invoked. 
This destination address normally cannot be 
accessed by a program. Loading the selector 
to a call gate into SS, DS, or ES will cause a 
general protection fault with an error code 
identifying the invalid selector. 


Only the selector portion of an address is used 
to invoke a gate. The offset is ignored. All that 
a program need know about the desired 
function is the selector required to invoke the 
gate. The iAPX 286 will automatically start 
the execution at the correct address stored 
within the gate. | =e 


A further advantage of a gate is that it 
provides a fixed address for any program to 
invoke another program. The calling 
program’s address remains unaltered even if 
the entry address of the destination program 
changes. Thus, gates provide a fixed set of 
entry points that allow a task to access 
Operating System functions such as simple 


‘subroutines, yet the task is prohibited from 


simply jumping into the middle of the 
Operating System. 


Call gates, as described in the next section, 
are used for control transfers within a task 
which must either be transparently redirected 
or which require an increase in privilege level. 
A call gate normally specifies a subroutine at 
a greater privilege level, and the called routine 
returns via a return instruction. Call gates also 
support delayed binding (resolution of target 
routine addresses at run-time rather than 
program-generation-time). 


Trap and interrupt gates handle interrupt 
operations that are to be serviced within the 
current task. Interrupt gates cause interrupts 
to be disabled; trap gates do not. Trap and 
interrupt gates both require a return via the 
interrupt return instruction. 


Task gates are used to control transfers 
between tasks and to make use of task state 
segments for task control and status infor- 


mation. Tasks are discussed in Chapter 8, 


interrupts in Chapter 9. 


In the iAPX 286 protection model, each 
privilege level has its own stack. Therefore, a 
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control transfer (call or return) that changes 
the privilege level causes a new stack to be 
invoked. 


7.5.1.1 CALL GATES 


Call gate descriptors are used by call and 
jump instructions in the same manner as a 
code segment descriptor. The hardware 
automatically recognizes that the destination 
selector refers to a gate descriptor. Then, the 
operation of the instruction is expanded as 
determined by the contents of the call gate. 
A jump instruction can access a call gate only 
if the target code segment is at the same 


7 07 ) 
INTEL RESERVED’ +6 


WORD 


DESTINATION SELECTOR5.> 


X X 


DESTINATION OFFSET 5.0 
15 8 7 0 


“MUST BE SET TO 0 FOR 
COMPATIBILITY WITH iAPX 386 


privilege level. A call instruction uses a call 
gate for the same or more privileged access. 


A call gate descriptor may reside in either the 
GDT or the LDT, but not in the IDT. Figure 
7-10 gives the complete layout of a call gate 
descriptor. 


A call gate can be referred to by either the 
long JMP or CALL instructions. From the 
viewpoint of the program executing a JMP or 
CALL instruction, the fact that the destina- 
tion was reached via a call gate and not 
directly from the destination address of the 
instruction is not apparent. 


Gate Descriptor Fields 


Tree [vn] onion | 


—Call Gate 
—Task Gate 
—Interrupt Gate 
—Trap Gate 


—Descriptor Contents are 
not valid 

—Descriptor Contents are 
valid 


Descriptor Privilege Level | 


DESTINATION 


DESTINATION 


Number of words to copy 
from callers stack to called 
procedures stack. Only 
used with call gate. 


selector to the target code 
segment (Call, Interrupt or 
Trap Gate) 

Selector to the target task 
state segment (Task Gate) 


16-bit |Entry point within the 
offset target code segment 


SELECTOR 


OFFSET 


Figure 7-10. Gate Descriptor Format 
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The following is a description of the protec- 
tion checks performed while transferring 
control (with the CALL instruction) through 
a call gate: | 


@ Verifying that access to the call gate is 
allowed. One of the protection features 
provided by call gates is the access checks 
made to determine if the call gate may 
be used (i.e., checking if the privilege level 
of the calling program is adequate). 


@ Determining the destination address and 
whether a privilege transition is required. 
This feature makes privilege transitions 
transparent to the caller. | 


@ Performing the privilege transition, if 
required. | 


Verifying access to a call gate is the same for 
any call gate and is independent of whether a 
JMP or CALL instruction was used. The rules 
of privilege used to determine whether a data 
segment may be accessed are employed to 
check if a call gate may be jumped-to or 
called. Thus, privileged subroutines can be 
hidden from untrusted programs by the 
absence of a call gate. | | 


When an inter-segment CALL or JMP 
instruction selects a call gate, the gate’s privi- 


lege and presence will be checked. The gate’s 
DPL (in the access byte) is checked against 
the EPL (MAX (task CPL, selector RPL)). 
If EPL > CPL, the program is less privi- 
leged than the gate and therefore it may not 
make a transition. In this case, a general 
protection fault occurs with an error code 
identifying the gate. Otherwise, the gate is 
accessible from the program executing the 
call, and the control transfer is allowed to 
continue. After the privilege checks, the 
descriptor presence is checked. If the present 
bit of the gate access rights byte is 0 (i.e., the 
target code segment is not present), not 
present fault occurs with an error code identi- 
fying the gate. 


The checks indicated in table 7-3 are applied 
to the contents of the call gate. Violating any 
of them causes the exception shown. The low 
order two bits of the error code are zero for 
these exceptions. 


7.5.1.2 INTRA-LEVEL TRANSFERS VIA CALL GATE 


The transfer is Intra-level if the destination 
code segment is at the same privilege level as 
CPL. Either the code segment is non- 
conforming with DPL = CPL or it is 
conforming, with DPL < CPL (see section 
11.2 for this case). The 32-bit destination 
address in the gate is loaded into CS:IP. 


Table 7-3. Call Gate Checks 


Selector is not Null 
Selector is within Descriptor Table Limit 
Descriptor is a Code Segment 

Code Segment is Present 

Nonconforming Code Segment DPL > CPL 


NOTES: © 


") GP = General Protection, NP = Not-Present Exception. 


0 
Selector id 
Code Segment id — 
Code Segment id 
Code Segment id 


The offset portion of the JMP or CALL destination address which refers to a call gate is always ignored. 
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If the IP value is not within the limit of the 
code segment, a general protection fault 
occurs with an error code of 0. If a CALL 
instruction is used, the return address is saved 
in the normal manner. The only effect of the 
call gate is to place a different address into 
CS:IP than that specified in the destination 
address of the JMP or CALL instruction. This 
feature is useful for systems which require 
that a fixed address be provided to programs, 
even though the entry address for the routine 
may change due to different functions, 
software changes, or segment relocation. 


7.5.1.3 INTER-LEVEL CONTROL TRANSFER VIA 
CALL GATES 


If the destination code segment of the call 
gate is at a different privilege level than the 


CPL, an inter-level transfer is being 


requested. However, if the destination code 


segment DPL > CPL, then a general protec- 
tion fault occurs with an error code identify- 
ing the destination code segment. 


The gate guarantees that all transitions to a 
more privileged level will go to a valid entry 
point rather than possibly into the middle of 
a procedure (or worse, into the middle of an 
instruction). See figure 7-11. 


Calls to more privileged levels may be 
performed only through call gates. A JMP 
instruction can never cause a privilege change. 
Any attempt to use a call gate in this manner 
will cause a general protection fault with an 
error code identifying the gate. Returns to 
more privileged levels are also prohibited. 
Inter-level transitions due to interrupts use a 
different gate, as discussed in Chapter 9. 


CALL , 
OPCODE OFFSET SELECTOR INSTRUCTION 


DESCRIPTOR 
TABLES 


TARGET 
CODE 
SEGMENT 


Figure 7-11. Call Gate 
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The RPL field of the CS selector saved as part 
of the return address will always identify the 
caller’s CPL. This information is necessary to 
correctly return to the caller’s privilege level 
during the return instruction. Since the CALL 
instruction places. the CS value on the more 
privileged stack, and J MP instructions cannot 
change privilege levels, it is not possible for a 
program to maliciously place an invalid return 
address on the caller’s stack. 


7.5.1.4. STACK CHANGES CAUSED BY CALL GATES 
To maintain system integrity, each privilege 
level has a separate stack. Furthermore, each 
task normally uses separate stacks from other 
tasks for each privilege level. These stacks 
assure sufficient stack space to process calls 
from less privileged levels. Without them, 
trusted programs may not work correctly, 
especially if the calling program does not 
provide sufficient space on the caller’s stack. 


When a call gate is used to change privilege 
levels, a new stack is selected as determined 
by the new CPL. The new stack pointer value 
is loaded from the Task State Segment (TSS). 
The privilege level of the new stack data 
segment must equal the new CPL; if it does 
not, a task stack fault occurs with the saved 
machine state pointing at the CALL instruc- 
tion and the error code identifying the invalid 
stack selector. 


The new stack should contain enough space 
to hold the old SS:SP, the return address, and 
all parameters and local variables required to 
process the call. The initial stack pointers for 
privilege levels 0-2 in the TSS are strictly read 
only values. They are never changed during 
the course of execution. 


The normal technique for passing parameters 
to a subroutine is to place them onto the stack. 
To make privilege transitions transparent to 
the called program, a call gate specifies that 


parameters are to be copied from the old stack 
to the new stack. The word count field in a 
call gate (see figure 7-10) specifies how many 
words (up to 31) are to be copied from the 
caller’s stack to the new stack. If the word 
count is zero, no parameters are copied. - 


Before copying the parameters, the new stack 
is checked to assure that it is large enough to 
hold the parameters; if it is not, a stack fault 
occurs with an error code of 0. After the 
parameters are copied, the return link is on 
the new stack (i.e., a pointer to the old stack 
is placed in the new stack). In particular, the 
return address is pointed at by SS:SP. The 
call and return example of figure 7-12 illus- 
trate the stack contents after a successful 
inter-level call. 


The stack pointer of the caller is saved above 
the caller’s return address as the first two 
words pushed onto the new stack. The caller’s 
stack can only be saved for calls to proce- 
dures at privilege levels 2, 1, and 0. Since level 
3 cannot be called by any procedure at any 
other privilege level, the level 3 stack will 
never contain links to other stacks. 


_ Procedures requiring more than the 31 words 
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for parameters that may be called from 
another privilege level must use the saved 
SS:SP link to access all parameters beyond 
the last word copied. 


The call gate does not check the values of the 
words copied onto the new stack. The called 


procedure should check each parameter for 


validity. Section 11.3 discusses how the 
ARPL, VERR, VERW, LSL, and LAR 
instructions can be used to check pointer 
values. 


7.5.2 Inter-Level Returns 


An inter-segment return instruction can also 
change levels, but only toward programs of 
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HIGHER 
ADDRESSES 


ADDRESSES . 
OLD STACK 
(AT “OUTER” 
PRIVILEGE 
LEVEL) 


SS:SP ———3 5 
FROM TSS 


DIRECTION 
OF STACK 
GROWTH 


NEW SS + SP -————}> 


NEW STACK 
(AT ‘‘INNER’”’ 
PRIVILEGE 
LEVEL) 


Figure 7-12. Stack Contents After an Inter-Level Call 


equal or lesser privilege (when code segment 
DPL is numerically greater or equal than the 
CPL). The RPL of the selector popped off the 
stack by the return instruction identifies the 
privilege level to resume execution of the 
calling program. 


When the RET instruction encounters a saved 
CS value whose RPL > CPL, an inter-level 
return occurs. Checks shown in table 7-4 are 
made during such a return. 


The old SS:SP value is then adjusted by the 
number of bytes indicated in the RET 
instruction and loaded into SS:SP. The new 
SP value is not checked for validity. If SP is 
invalid it is not recognized until the first stack 
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operation. The SS:SP value of the returning 
program is not saved. (Note: this value 
normally is the same as that saved in the 
TSS.) 


The last step in the return is checking the 
contents of the DS and ES descriptor regis- 
ter. If DS or ES refer to segments whose DPL 
is greater than the new CPL (excluding 
conforming code segments), the segment 
registers are loaded with the null selector. Any 
subsequent memory reference that attempts 
to use the segment register containing the null 
selector will cause a general protection fault. 
This prevents less privileged code from 
accessing more privileged data previously 
accessed by the more privileged program. 
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Table 7-4. Inter-Level Return Checks 


SP is not within Segment Limit 0 

SP + N + 7 is not in Segment Limit 0 

RPL of Return CS is Greater than CPL Return CS id 
Return CS Selector is not null : Return CS id 
Return CS segment is within Descriptor Table Limit Return CS id 
Return CS Descriptor is a Code Segment Return CS id 
Return CS Segment is Present Return CS id 
DPL of Return Non-Conforming Code Segment = RPL of CS Return CS id 
SS Selector at. SP + N + 6 is not Null Return SS id 
SS Selector at SP + N + 6is within Descriptor Table Limit Return SS id 
SS Descriptor is Writable Data Segment Return SS id 
SS Segment is Present Return SS id 
SS Segment DPL = RPL of CS Return SS id 


“SF = Stack Fault, GP = General Protection Exception, NP = Not-Present Exception 
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Tasks And State Transitions 8 


CHAPTER 8 
TASKS AND STATE TRANSITIONS 


8.1 INTRODUCTION 


An iAPX 286 task is a single, sequential 
thread of execution. Each task can be isolated 
from all other tasks. There may be many tasks 


associated with an iAPX 286 CPU, but only — 


one task executes at any time. Switching the 
CPU from executing one task to executing 
another can occur as the result of either an 
interrupt or an inter-task CALL, JMP or 
IRET. A hardware-recognized data structure 
defines each task. 


The iAPX 286 provides a high performance 
task switch operation with complete isolation 
between tasks. A full task-switch operation 
takes only 22 microseconds at 8 MHz 
(18 microseconds at 10 MHz). High- 
performance, interrupt-driven, multi- 
application systems that need the benefits of 
protection are feasible with the 80286. 


A performance advantage and system design 
.advantage arise from the iAPX 286 task 
switch: 


@ Faster task switch: A task switch is a 

single instruction performed by micro- 
code. Such a scheme is 2-3 times faster 
than an explicit task switch instruction. 
A fast task switch translates to a signifi- 
cant performance boost for heavily multi- 
tasked systems over conventional 
methods. 


@ More reliable, flexible systems: The 
isolation between tasks and the high speed 
task switch allows interrupts to be 
handled by separate tasks rather than 
within the currently interrupted task. This 
isolation of interrupt handling code from 
normal programs prevents undesirable 
interactions between them. The interrupt 


system can become more flexible since 
adding an interrupt handler is as safe and 
easy as adding a new task. 


@ Every task is protected from all others via 
the separation of address spaces described 
in Chapter 7, including allocation of 
unique stacks to each active privilege level 
in each task (unless explicit sharing is 
planned in advance). If the address spaces 
of two tasks include no shared data, one 
task cannot affect the data of another 
task. Code sharing is always safe since 
code segments may never be written into. 


8.2 TASK STATE SEGMENTS AND 
DESCRIPTORS 


Tasks are defined by a special control segment 
called a Task State Segment (TSS). For each 
task, there must be an unique TSS. The 
definition of a task includes its address space 
and execution state. A task is invoked (made 
active) by inter-segment jump or call instruc- 
tions whose destination address refers to a 
task state segment or a task gate. 


The Task State Segment (TSS) has a special 
descriptor. The Task Register within the CPU 
contains a selector to that descriptor. Each 
TSS selector value is unique, providing an 
unambiguous “identifier” for each task. Thus, 
an operating system can use the value of the 
TSS selector to uniquely identify the task. 


| A TSS contains 22 words that define the 


contents of all registers and flags, the initial 
stacks for privilege levels 0-2, the LDT selec- 
tor, and a link to the TSS of the previously 
executing task. Figure 8-1 shows the layout 
of the TSS. The TSS can not be written into 
like an ordinary data segment. 
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TASK REGISTER 


AN AVAILABLE TASK STATE 
SEGMENT MAY BE USED AS 
THE DESTINATION OF A TASK 
SWITCH OPERATION. - 
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> DESCRIPTOR 


| 


A BUSY TASK STATE SEGMENT 
CANNOT BE USED AS THE 
DESTINATION OF A TASK 
SWITCH. | 
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ene 


15 O | OFFSET 


TASK LDT SELECTOR 


DS SELECTOR 


| p | DESCRIPTION 
| 1 | BASE AND LIMIT FIELDS ARE VALID 


SS SELECTOR 
SEGMENT IS NOT PRESENT IN 
MEMORY. BASE AND LIMIT ARE 
NOT DEFINED 


BACK LINK SELECTOR TO TSS 


CS SELECTOR 36 
ES SELECTOR 34 
ce | 
ee | 
TASK 
a 
STATE 
| 
FLAG WORD 16 
IP (ENTRY POINT) 14 
SS FOR CPL 2 12 
SP FOR CPL 2 10 
SS FOR CPL 1 |) 87 INITIAL 
STACKS (1) 
SP FOR CPL 1 6 | FOR CPL 0,1,2 
SS FOR CPL 0 4 
SP FOR CPL 0 2 


(1) NEVER ALTERED (STATIC) AFTER INITIALIZATION BY O.S. 
THE VALUES AS INITIALIZED FOR THIS TASK ARE ALWAYS 
VALID SS:SP VALUES TO USE UPON ENTRY TO THAT 
PRIVILEGE LEVEL (0, 1, OR 2) FROM A LEVEL OF 
LESSER PRIVILEGE. 

(2) CHANGED DURING TASK SWITCH 


Figure 8-1. Task State Segment and TSS Registers 
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Each TSS consists of two parts, a static 
portion and a dynamic portion. The static 
entries are never changed by the iAPX 286, 
while the dynamic entries are changed by each 
task switch out of this task. The static portions 
of this segment are the task LDT selector and 
the initial SS:SP stack pointer addresses for 
levels 0-2. 


The modifiable or dynamic portion of the task 
state segment consists of all dynamically- 
variable and programmer-visible processor 
registers, including flags, segment registers, 
and the instruction pointer. It also includes 
the linkage word used to chain nested invoca- 
tions of different tasks. 


The link word: provides a history of which 
tasks invoked others. The link word is impor- 
tant for restarting an interrupted task when 
the interrupt has been serviced. Placing the 
back link in the TSS protects the identity of 
the interrupted task from changes by the 
interrupt task, since the TSS is not writable 
by the interrupt task. (In most systems only 
the operating system has sufficient privilege 
to create or use a writable data segment 
“alias” descriptor for the TSS.) 


The stack pointer entries in the TSS for privi- 
lege levels 0-2 are static (i.e., never written 
during a privilege or task switch). They define 
‘the stack to use upon entry to that privilege 
level. These stack entries are initialized by the 
operating system when the task is created. If 
a privilege level is never used, no stack need 
be allocated for it. 


When entering a more privileged level, the 
caller’s stack pointer is saved on the stack of 
the new privilege level, not in the TSS. 
Leaving the privilege level requires popping 
the caller’s return address and stack pointer 
off the current stack. The stack pointer at that 
time will be the same as the initial value 
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loaded from the TSS upon entry to the privi- 
lege level. 


There is only one stack active at any time, the 
one defined by the SS and SP registers. The 
only other stacks that may be non-empty are 
those at outer (less privileged) levels that 
called the current level. Stacks for inner levels 
must be empty, since outward (to numeri- 
cally larger privilege levels) calls from inner 
levels are not allowed. 


The location of the stack pointer for an outer 
privilege level will always be found at the start 
of the stack of the inner privilege level called 
by that level. That stack may be the initial 
stack for this privilege level or an outer level. 
Look at the start of the stack for this privi- 
lege level. The TSS contains the starting stack 
address for levels 0-2. If the RPL of the saved 
SS selector is the privilege level required, then 
the stack pointer has been found. Otherwise, 
go to the beginning of the stack defined by 
that value and look at the saved SS:SP value 
there. 


8.2.1 Task State Segment Descriptors 


A special descriptor is used for task state 
segments. This descriptor must be accessible 
at all times; therefore, it can appear only in 
the GDT. The access byte distinguishes TSS 
descriptors from data or code segment 
descriptors. When bits 0 through 4 of the 
access byte are 00001 or 00011, the descrip- 
tor is for a TSS. | 


The complete layout of a task state segment 
descriptor is shown in figure 8-2. 


Like a data segment, the descriptor contains 
a base address and limit field. The limit must 
be at least 002BH (43) to contain the 
minimum amount of informatign required for 
a TSS. An invalid task exception will occur if 
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INTEL RESERVED 


TSS BASE, eh 


TSS LIMIT 


B= 1 MEANS TASK IS BUSY 
AND NOT AVAILABLE 


‘MUST BE SET TO 0 FOR COMPATIBILITY WITH IAPX 386 


Figure 8-2. TSS Descriptor 


an attempt is made to switch to a task whose 
TSS descriptor limit is less than 43. The error 
code will identify the bad TSS. 


The P-bit (Present) flag indicates whether this 
descriptor contains currently valid informa- 
tion: 1 means yes, 0 no. A task switch that 
attempts to reference a not-present TSS 
causes a not-present exception code identify- 
ing the task state segment selector. 


The descriptor privilege level (DPL) controls 
use of the TSS by JMP or CALL instruc- 
tions. By the same reasoning as that for call 
gates, DPL can prevent a program from 
calling the TSS and thereby cause a task 
switch. Section 8.3 discusses privilege consid- 
erations during a task switch in greater detail. 


Bit 4 is always 0 since TSS is a control 
segment descriptor. Control segments cannot 
be accessed by SS, DS, or ES. Any attempt 
to load those segment registers with a selec- 
tor that refers to a control segment causes 
general protection trap. This rule prevents the 
program from improperly changing the 
contents of a control segment. 


TSS descriptors can have two states: idle and 
busy. Bit 1 of the access byte distinguishes 
them. The distinction is necessary since tasks 
-are not re-entrant; a busy TSS may not be 
invoked. 
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8.3 TASK SWITCHING 


A task switch may occur in one of four ways: 


1. The destination selector of a long JMP or 
CALL instruction refers to a TSS 
descriptor. The offset portion of the 
destination address is ignored. 


2. An IRET instruction is executed when 
the NT bit in the flag word = 1. The new 
task TSS selector is in the back link field 
of the current TSS. 


3. The destination siete: af a igi JMP or 
CALL instruction refers to a task gate. 
The offset portion of the destination 
address is ignored. The new task TSS 
selector is in the gate. (See section 8.5 for 
more information on task gates.) 


4. An interrupt occurs. This interrupt’s 
vector refers to a task gate in the inter- 
rupt descriptor table. The new task TSS 
selector is in the gate. See section 9.4 for 
more information on interrupt tasks. 


JNo new instructions are required for a task 


switch operation. The standard iAPX 86 
JMP, CALL, IRET, or interrupt operations 
perform this function. The distinction between 
the standard instruction and a task switch is 
made either by the type of descriptor refer- 
enced (for CALL, JMP, or INT) or by the 
NT bit (for IRET) in flag word. 
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Using the CALL or INT instruction to switch 
tasks implies a return is expected from the 
called task. The JMP and IRET instructions 
imply no return is expected from the new task. 


When NT=1, the IRET instruction causes a 
return to the task that called the current one 
via CALL or INT instruction. 


Access to TSS and task gate descriptors is 
restricted by the rules privilege level. The data 
access rules are used, thereby allowing task 
switches to be restricted to programs of suffi- 
cient privilege. Address space separation does 
not apply to TSS descriptors since they must 
be in the GDT. The access rules for inter- 
rupts are discussed in section 9.4. 


For JMP or CALL instructions that refer- 
ence a TSS descriptor or task gate, the effec- 
tive privilege level of the destination selector 
(i.e., the numeric maximum of the selector’s 
RPL and current CPL) must be less than or 
equal to the descriptor DPL. If it is not, a 
general protection fault will occur with an 
error code identifying the descriptor. 


Once access to the TSS has been granted, the 
task switch operation involves five steps: 


1. Checking that the current task is allowed 
to switch to the designated task: Data 
—access privilege rules are applied for the 
JMP/CALL cases. The current task 
becomes the outgoing task. 


2. Checking that the new task is present and 
has a proper TSS limit: The new task 
becomes the incoming task. All errors up 
to this point are handled in the context of 
the outgoing task. The errors are restart- 
able and error handling is transparent to 

the application program. 


3. Saving the state of the outgoing task: The 
outgoing TSS selector is in the TR. The 
dynamic portion of the outgoing TSS its 
written with the corresponding CPU 


8-5 


register values (e.g., AX, BX, CX, DX, 
SI, DI, BP, SP, ES, DS, SS, CS, IP, and 
flag register). The IP value points at the 
instruction following the one which 
caused the task switch. 


4. Load TR with the incoming task selec- 
tor, mark the incoming task’s descriptor 
as busy, and set TS. 


5. Load the incoming task state and resume 
execution: The following registers are 
loaded: LDT, AX, BX, CX, DX, SI, DI, 
BP, SP, ES, DS, SS, CS, IP, and flag 
register. Any errors detected in this step 
are handled in the context of the incom- 
ing task. It will appear as if the first 
instruction of the new task had not yet 
executed. 


Note that the state of the outgoing task is 
always saved. If execution of that task is 
resumed, it will start after the instruction that 
caused the task switch. The values of the 
registers will be the same as that when the 
task stopped running. : 


Any task switch sets the Task Switched (TS) 
bit in the Machine Status Word (MSW). This 
flag is used when processor extensions such 
as the 80287 Numeric Processor Extension 
are present. The TS bit signals that the 
context of the processor extension may not 
belong to the current iAPX 286 task. Chapter 
11 discusses the TS bit and processor exten- 
sions in more detail. 


The checks in table 8-1 are made during the 
task switch. All the requirements shown in the 
table must be satisfied for the task switch to 
occur without an exception. For each check, 
the type of exception and error code are 
described. Up to and including step 3, the 
exception occurs in the context of the outgo- 
ing task. After step 3, the incoming task is 
considered valid. All exceptions occur in the 
context of the incoming task. 
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Table 8-1. Checks Made During a Task Switch 


a 


Incoming TSS descriptor is present 
Incoming TSS is idle 


Limit of incoming TSS greater than 43 


LDT selector of incoming TSS is valid 


LDT of incoming TSS is present 
CS selector is valid 
‘Code segment is present 


Code segment DPL matches CS RPL 


- Stack segment is valid 


Stack segment is writable data segment 


Stack segment is present 
Stack segment DPL = CPL 
DS/ES selectors are valid 
DS/ES segments are readable 
DS/ES segments are present 


DS/ES segment DPL = CPL if not conform 


*NP = Not-Present Exception 
GP = General Protection Fault 
SF = Stack Fault 


Validity tests on a selector ensure that the 
selector is in the proper table (i.e., the LDT 
selector refers to GDT), lies within the bounds 
of the table, and refers to the proper type of 
descriptor (1.e., the LDT selector refers to the 
LDT aeccHnigny | 


Note that between steps 3 and 4 in ‘Abie 8-1, 
all the registers of the new task are feaded: 
Several protection rule violations may exist in 
the new segment register contents. If an 
exception occurs in the context of the new task 
due to checks performed on the newly loaded 
descriptors, the DS and ES segments may not 
be accessible even though the segment regis- 
ters contain non-zero values. These selector 
values must be saved for later reuse. When 
the exception handler reloads these segment 
registers, another protection exception may 
occur unless the exception handler pre- 
examines them and fixes any potential 
problems. 
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Incoming TSS selector 
Incoming TSS selector . 
Incoming TSS selector | 


A 
_ Invalid TSS 


— Invalid TSS 
Invalid TSS 
Invalid TSS 
. NP 
Invalid TSS | 


Incoming TSS selector 
Incoming TSS selector 
Code segment selector 
Code segment selector 
Code segment selector 
Stack segment selector 
Stack segment selector 
Stack segment selector 
Stack segment selector 
Segment selector 
Segment selector 
Segment selector 
Segment selector. 


A task switch allows flexibility in the privi- 
lege level of the outgoing and incoming tasks. 
The privilege level at which execution resumes 
in the incoming task is not restricted by the 
privilege level of the outgoing task. This is 
reasonable, since both tasks are isolated from 
each other with separate address spaces and 
machine states. The privilege rules prevent 


improper access to a TSS. The only interac- 


tion between the tasks is to the extent that 
one started the other and the incoming task 
may restart the outgoing task by executing an 
IRET instruction. 


8.4 TASK LINKING 


The TSS has a field called “back link” which 
contains the selector of the TSS of a task that 
should be restarted when the current task 
completes. The back link field of an inter- 
rupt-initiated task is automatically written 
with the TSS selector of the interrupted task. 
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A task switch initiated by a CALL instruc- 
tion also points the back link at the outgoing 
task’s TSS. Such task nesting is indicated to 


programs via the Nested Task (NT) bit in the 


flag word of the incoming task. 


Task nesting is necessary for interrupt 
functions to be processed as separate tasks. 
The interrupt function is thereby isolated from 
all other tasks in the system. To restart the 
interrupted task, the interrupt handler 
executes an IRET instruction much in the 
same manner as an 1APX 86 interrupt 
handler. The IRET instruction will then cause 
a task switch to the interrupted task. © 


Completion of a task occurs when the IRET 
instruction is executed with the NT bit in the 
flag word set. The NT bit is automatically 
set/reset by task switch operations as appro- 
priate. Executing an IRET instruction with 


NT cleared causes the normal iAPX 86 inter- 


rupt return function to be performed, and no 
task switch occurs. 


Executing [RET with NT set causes a task 
switch to the task defined by the back link 
field of the current TSS. The selector value is 
fetched and verified as pointing to a valid, 
accessible TSS. The normal task switch 
operation described in section 8.3 then occurs. 


_ After the task switch is complete, the outgo- 


ing task is now idle and considered ready to 
process another interrupt. 


Table 8-2 shows how the busy bit, NT bit, 
and link word of the incoming and outgoing 
task are affected by task switch operations 
caused by JMP, CALL, or IRET 
instructions. 


Violation of any of the busy bit requirements. 
shown in table 8-2 causes a general protec- 
tion fault with the saved machine state 
appearing as if the instruction. had. not 
executed. The error code identifies the selec-. 
tor of the TSS with the busy bit. — 


A bus lock is applied during the testing and 
setting of the TSS descriptor busy bit to 
ensure that two processors do not invoke the 
same task at the same time. See also section 
11.4 for other multi-processor considerations. 


The linking order of tasks may need to be 
changed to restart an interrupted task before 
the task that interrupted it completes. To 
remove a task from the list, trusted operating 
system software must change the backlink 
field in the TSS of the interrupting task first, 


then clear the busy bit in the TSS descriptor 


of the task removed from the list. 


Table 8-2. Effect of a Task Switch on BUSY and NT Bits and the Link Word . 


Affected Field 


Busy bit of incoming task TSS descriptor 


Busy bit of outgoing task TSS descriptor 


NT bit in incoming task flag word 
NT bit in outgoing task flag word 
Back link in incoming task TSS 


Back link of outgoing task TSS 


JMP 
Instruction 
Effect 


Set, must be 


0 before 


Cleared 


Cleared 


| Unchanged 


Unchanged 


Unchanged 
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CALL/INT 
Instruction 
Effect 


Set, must be 0 
before 


Unchanged (will 
already be 1) 


Set 
Unchanged 


Set to outgoing 
task TSS selector 


Unchanged 


IRET 
Instruction 
Effect 


Unchanged, 
must be set 


Cleared 


Unchanged 
Cleared 


Unchanged 


Unchanged 
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When trusted software deletes the link from 
one task to another, it should place a value in 
the backlink field, which will pass control to 
that trusted software when the task attempts 
to resume execution of another task via IRET. 


8.5 TASK GATES 


A task may be invoked by several different 
events. Task gates are provided to support this 
need. Task gates are used in the same way as 
call and interrupt gates. The ultimate effect 
of jumping to or calling a task gate is the same 
as jumping to or calling directly to the TSS 
in the task gate. er 


Figure 8-3 depicts the layout of a task gate. 


A task gate is identified by the accéss byte 
field in bits 0 through 4 being 00101. The gate 
provides an extra level of indirection between 
the destination address and the TSS selector 
value. The offset portion of the JMP or CALL 
destination address is ignored. | 


Gate use provides flexibility in controlling. 
access to tasks. Task gates can appear in the 


GDT, IDT, or LDT. The TSS descriptors for 
all tasks must be kept in the GDT. They are 
normally placed at level 0 to prevent any task 
from improperly invoking another task. Task 
gates placed in the LDT allow private access 
to selected tasks with full privilege control. 


The data segment access rules apply to 
accessing a task gate via JMP, CALL, or INT 
instructions. The effective privilege level 
(EPL) of the destination selector must be 
numerically less than or equal to the DPL of 
the task gate descriptor. Any violation of this 
requirement causes a general protection fault 
with an error code identifying the task gate 
involved. | 


Once access to the task gate has been verified, 
the TSS selector from the gate is read. The 
RPL of the TSS selector is ignored. From this 
point, all the checks and actions performed 
for a JMP or CALL to a TSS after access 
has been verified are performed (see section 
8.4). Figure 8-4 illustrates an example of a 
task switch through a task gate. 


INTEL RESERVED’ 


TSS SELECTOR ~ 


*MUST BE SET TOO FOR © 
COMPATIBILITY WITH iAPX 386 


Figure 8-3. Task Gate Descriptor. 
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B 


CALL SELECTOR TASK GATE 


LOT SELECTOR 


LOT SELECTOR 


BACK LINK 


Figure 8-4. Task Switch Through a Task Gate 
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CHAPTER 9 
INTERRUPTS AND EXCEPTIONS 


Interrupts and exceptions are special cases of 
control transfer within a program. An inter- 
rupt occurs as a result of an event that is 
independent of the currently executing 
program, while exceptions are a direct result 
of the program currently being executed. 
Interrupts may be external or internal. Exter- 
nal interrupts are generated by either the 
INTR or NMI input pins. Internal interrupts 
are caused by the INT instruction. Excep- 
tions occur when an instruction cannot be 
completed normally. Although their causes 
differ, interrupts and exceptions use the same 
control transfer techniques and privilege rules; 
therefore, in the following discussions the term 
interrupt will also apply to exceptions. 


The program used to service an interrupt may 
execute in the context of the task that caused 
the interrupt (i.e., used the same TSS, LDT, 
stacks, etc.) or may be a separate task. The 
choice depends on the function to be 
performed and the level of isolation required. 


IDT LIMIT a 
IDT BASE 


Figure 9-1. 
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9.1 INTERRUPT DESCRIPTOR TABLE 


Many different events may cause an inter- 
rupt. To allow the reason for an interrupt to 
be easily identified, each interrupt source is 
given a number called the interrupt vector. Up 
to 256 different interrupt vectors (numbers) 
are possible. See figure 9-1. 


A table is used to define the handler for each 
interrupt vector. The Interrupt Descriptor 
Table (IDT) defines the interrupt handlers for 
up to 256 different interrupts. The IDT is in 
physical memory, pointed to by the contents 
of the on-chip IDT register that contains a 
24-bit base and a 16-bit limit. The IDTR is 
normally loaded with the LIDT instruction by 
code that executes at privilege level 0 during 
system initialization. The IDT may be located 
anywhere in the physical address space of the 
iAPX 286. | 


Each IDT entry is a 4-word gate descriptor 
that contains a pointer to the handler. The 


THE IDT MAY 
CONTAIN 
INTERRUPT 
GATES, TRAPS 
OR TASK GATES 


INTERRUPT 
DESCRIPTOR 
TABLE 

(IDT) 


interrupt Descriptor Table Definition 
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three types of gates permitted in the IDT are 


interrupt gates, trap gates (discussed in 
section 9.3), and task gates (discussed in 
section 9.5). Interrupt and task gates process 
interrupts in the same task, while task gates 
cause a task switch. Any other descriptor type 
in the IDT will cause an exception if it is 
referenced by an interrupt. 


The IDT need not contain all 256 entries. A 
16-bit limit register allows less than the full 
number of entries. Unused entries may be 
signaled by placing a zero in the access rights 
byte. If an attempt is made to access an entry 
outside the table limit, or if the wrong 
descriptor type is found, a general protection 
fault occurs with an error code pushed on the 
stack identifying the invalid interrupt vector 
(see figure 9-2).. 


Exception error codes that refer to an IDT 
entry can be identified by bit 1 of the error 
code that will be set. Bit 0 of the error code 
is 1 if the interrupt was caused by an event 
external to the program (i.e., an external 
interrupt, a single step, a processor extension 
error, or a processor extension not present). 


Interrupts 0-31 are reserved for use by Intel. 
Some of the interrupts are used for instruc- 


15 14 13 12 1110 9 8 7 6 5 4 3 


_ “IDT.VECTOR 


tion exceptions.. The IDT limit must be at 
least 255 (32X8—1) to accommodate the 
minimum number of interrupts. The remain- 
ing 224 interrupts are available to the user. 


9.2 HARDWARE INITIATED INTERRUPTS 


Hardware- initiated interrupts are caused. by 
some external event that activates either the 
INTR or NMI input pins of the processor. 
Events that use the INTR input are classified 
as maskable interrupts. Events that use the 
NMI input are classified as non-maskable 
interrupts. | 


All 224 user-defined interrupt sources share 
the INTR input, but each has the ability to 
use a separate interrupt handler. An 8-bit 
vector supplied by the interrupt controller 
identifies which interrupt is being signaled. To 
read the interrupt id, the processor performs 


the interrupt acknowledge bus sequence. 


Maskable interrupts (from the INTR. saa) 
can be inhibited by software by setting the 
interrupt flag bit (IF) to 0 in the flag word. 
The IF bit does not inhibit exceptions or 
interrupts caused by the INT instruction. The 


_IF bit also does not inhibit processor exten- 


sion interrupts. 


1 An event external to the program 
caused the exception (i.e., external 
interrupt, single step, processor 
extension error) 


0 An exception occurred while 
processing an instruction at CS:IP 
saved on stack 


‘Figure 9-2. IDT Selector Error Code 
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The type of gate placed into the IDT for the 
interrupt vector will control whether other 
maskable interrupts remain enabled or not 
during the servicing of that interrupt. The flag 
word that was saved on the stack reflects the 
maskable interrupt enable status of the 
processor prior to the interrupt. The proce- 
dure servicing a maskable interrupt can also 
prevent further maskable interrupts during its 
work by resetting the IF flag. 


Non-maskable interrupts are caused by the 
NMI input. They have a higher priority than 
the maskable interrupts (meaning that in case 
of simultaneous requests, the non-maskable 
interrupt will be serviced first). A non- 
maskable interrupt has a fixed vector (#2) and 
therefore does not require an interrupt 
acknowledge sequence on the bus. A typical 
use of an NMI is to invoke a procedure to 
handle a power failure or some other critical 
hardware exception. 


A procedure servicing an NMI will not be 
further interrupted by other non-maskable 
interrupt requests until an IRET instruction 
is executed. A further NMI request is 
remembered by the hardware and will be 
serviced after the first IRET instruction. Only 
one NMI request can be remembered. To 
prevent a maskable interrupt from interrupt- 
ing the NMI interrupt handler, the IF flag 
should be cleared either by using an interrupt 
gate in the IDT or by setting IF = 0 in the 
flag word of the task involved. 


9.3 SOFTWARE INITIATED INTERRUPTS 


Software initiated interrupts occur explicitly 
as interrupt instructions or may arise as the 
result of an exceptional condition that 
prevents the continuation of program execu- 
tion. Software interrupts are not maskable. 
Two interrupt instructions exist which explic- 
itly cause an interrupt: INT n and INT 3. The 
first allows specification of any interrupt 
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vector; the second implies interrupt vector 3 
(Breakpoint). 


Other instructions like INTO, BOUND, DIV, 
and IDIV may cause an interrupt, depending 
on the overflow flag or values of the operands. 
These instructions have predefined vectors 
associated with them in the first 32 interrupts 
reserved by Intel. 


A whole class of interrupts called exceptions 
are intended to detect faults or programming 
errors (in the use of operands or privilege 
levels). Exceptions cannot be masked. They 
also have fixed vectors within the first 32 
interrupts. Many of these exceptions pass an 
error code on the stack, which is not the case 
with the other interrupt types discussed in 
section 9.2. Section 9.5 discusses these error 
codes as well as the priority among interrupts 
that can occur simultaneously. 


9.4 INTERRUPT GATES AND TRAP GATES 


Interrupt gates and trap gates are special 
types of descriptors that may only appear. in 
the interrupt descriptor table. The difference 
between a trap and an interrupt gate is 
whether the interrupt enable flag is to be 
cleared or not. An interrupt gate specifies a 
procedure that enters with interrupts disabled 
(i.e., with the interrupt enable flag cleared); 
entry via a trap gate leaves the interrupt 


enable status unchanged. The NT flag is 


always cleared (after the old NT state is saved 
on the stack) when an interrupt uses these 
gates. Interrupts that have either gate in the 
associated IDT entry will be processed in the 
current task. | 


Interrupts and trap gates have the same 
structure as the call gates discussed in section 
7.5.1. The selector and entry point for a code 
segment to handle the interrupt or exception 
is contained in the gate. See figure 9-3. 
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The access byte contains the Present bit, the 
descriptor privilege level, and the type identi- 
fier. Bits 0-4 of the access byte have a value 
of 00110 for interrupt gates, 00111 for trap 
gates. Byte 5 of the descriptor is not used by 
either of these gates; it is used only by the 
call gate, which uses it as the parameter word- 
count. 


Trap and interrupt gates allow a privilege 
level transition to occur when passing control 
to a non-conforming code segment. Like a call 
gate, the DPL of the target code segment 
selected determines the new CPL. The DPL 
of the new non-conforming code segment must 
be numerically less than or equal to CPL. 


No privilege transition occurs if the new code 
segment is conforming. If the DPL of the 
conforming code segment is greater than the 
CPL, a general protecwien exception will 
occur. : 


As with all descriptors, these gates in the IDT 
carry a privilege level. The DPL controls 
access to interrupts with the INT n and INT 
3 instructions. For access, the CPL of the 
program must be less than or equal to the gate 
DPL. If the CPL is not, a general protection 
exception will result with an error code 


identifying the selected IDT gate. For excep- 
tions and external interrupts, the CPL of the 
program is ignored while accessing the IDT. 


Interrupts using a trap or an interrupt gate 
are handled in the same manner as an iAPX 
86 interrupt. The flags and return address of 
the interrupted program are saved on the 
stack of the interrupt handler. To return to 
the interrupted program, the interrupt handler 
executes an IRET instruction. 


If an increase in privilege is required for 
handling the interrupt, a new stack will be 
loaded from the TSS. The stack pointer of the 
old privilege level will also be saved on the 
new stack in the same manner as a call gate. 
Figure 9-4 shows the stack contents after an 
exception with an error code (with and 
without a privilege level change). 


If an interrupt or trap gate is used to handle 
an exception that passes an error code, the 
error code will be pushed onto the new stack 
after the return address (as shown in figure 
9-4). If a task gate is used, the error code is 
pushed onto the stack of the new task. The 
return address is saved in the old TSS. 


INTEL RESERVED’ 


INTERRUPT CODE SEGMENT SELECTOR 
INTERRUPT CODE OFFSET 


T = 1 FOR TRAP GATE 
T = O FOR INTERRUPT GATE 


“MUST BE SET TO 0 FOR 
COMPATIBILITY WITH iAPX 386 


Figure 9-3. Trap/Interrupt Gate Descriptors . 
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OLD FLAGS 


NO PRIVILEGE TRANSITION 


OLD CS 
OLD IP 
ERROR CODE 


SP FROM TSS — — 


OLD SS 


WITH PRIVILEGE TRANSITION 


STACK SEGMENT 


Figure 9-4. Stack Layout After an Exception with an Error Code 


If an interrupt gate is used to handle an inter- 
rupt, it is assumed that the selected code 
segment has sufficient privilege to re-enable 
interrupts. The IRET instruction will not re- 
enable interrupts if CPL is numerically 
greater than IOPL. | 


Table 9-1 shows the checks performed during 
an interrupt operation that uses an interrupt 
or trap gate. EXT equals 1 when an event 
external to the program is involved, O other- 
wise. External events are maskable or non- 
maskable interrupts, single step interrupt, 


processor extension segment overrun inter- 
rupt, numeric processor not-present excep- 
tion or numeric processor error. The EXT bit 
signals that the interrupt or exception is not 
related to the instruction at CS:IP. Each error 
code has bit | set to indicate an IDT entry is 
involved. | 


When the interrupt has been serviced, the 
service routine returns control via an IRET 
instruction to the routine that was inter- 
rapted. If an error code was passed, the 
exception handler must remove the error code 
from the stack before executing IRET. 
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Table 9-1. Trap and Interrupt Gate Checks 


es 


Interrupt vector is in IDT limit 
Trap, Interrupt, or Task Gate in IDT Entry 
If INT instruction, gate DPL => CPL 
P bit of gate is set | 
| Code segment selector is in descriptor table limit 
CS selector refers to a code segment 


If code segment is non-conforming, 
DPL <= CPL 


If code segment is non-conforming, and DPL < CPL and if 


SS selector in TSS is in descriptor-table limit. 


If code segment is non-conforming, and DPL < CPL and if | 


SS is a writable data segment 


If code segment is non-conforming, and DPL < CPL and 


code segment DPL = stack segment DPL 


If code segment is non-conforming, and DPL < CPL and if 


SS is present 


If code segment is non-conforming, and DPL < CPL and if 


Code Segment 


IDT entry < 8 + 2+ EXT 
IDT entry X 8 + 2 + EXT 
IDT entry X 8 + 2 + EXT 
IDT entry X 8 + 2 + EXT 
IDT entry X 8 + 2 + EXT 
IDT entry x 8 + 2 + EXT 
IDT entry x 8 + 2 + EXT 


IDT entry X 8 + 2 + EXT 


IDT entry x 8 + 2 + EXT 


Stack segment selector + EXT 


Stack segment selector + EXT 


0 + EXT 


there is enough space for 5 words on the stack (or 6 if error 


code is required) 
If code segment is conforming, then DPL =CPL 
If code segment is not present 


If IP is not within the limit of code segment 


* GP = General Protection Exception 
NP = Not Present Exception 
SF = Stack Fault | 


The NT flag is cleared when an interrupt 
occurs which uses an interrupt or trap gate. 
Executing IRET with NT=0 causes the 
normal interrupt return function. Executing 
IRET with NT=1 causes a task switch (see 
section 8.4 for more details). 


Like the RET instruction, IRET is restricted 
to return to a level of equal or lesser privilege 
unless a task switch occurs. The IRET 
instruction works like the inter-segment RET 
instruction except that the flag word is popped 
and no stack pointer update for parameters is 


Code segment selector + EXT 
Code segment selector + EXT 
0 + EXT 


performed since no parameters are on the 
stack. See section 7.5.2 for information on 
inter- level returns. 


To distinguish an inter- iste IRET, the new 
CPL (which is the RPL of the return address 
CS selector) is compared with the current 
CPL. If they are the same, the IP and flags 
are popped and execution continues. : 


An inter-level return via IRET has all the 
same checks as shown in table 7-4. The only 


difference is the extra word on the stack for 


the old flag word. 
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Interrupt gates are typically associated with 
high-priority hardware interrupts for 
automatically disabling interrupts upon their 
invocation. Trap gates are typically software- 
invoked since they do not disable the maska- 
ble hardware interrupts. However, low-prior- 
ity interrupts (e.g., a timer) are often invoked 
via a trap gate to allow other devices of higher 
priority to interrupt the handler of that lower 
priority interrupt. 


Table 9-2 illustrates how the interrupt enable 
flag and interrupt type interact with the type 
of gate used. 


9.5 TASK GATES AND INTERRUPT TASKS 


The iAPX 286 allows interrupts to directly 
cause a task switch. When an interrupt vector 
selects an entry in the IDT which 1s a task 
gate, a task switch occurs. The format of a 
task gate is described in section 8.5. If a task 
gate is used to handle an exception that passes 
an error code, the error code will be pushed 
onto the new task’s stack. 


A task gate offers two advantages over 
interrupt gates: 


1. It automatically saves all of the processor 
registers as part of the task-switch opera- 
tion whereas an interrupt gate saves only 
the flag register and CS:IP. 


Table 9-2. 


2. The new task is completely isolated from 
the task that was interrupted. Address 
spaces are isolated and the interrupt- 
handling task is unaffected by the 
privilege level of the interrupted task. 


An interrupt task switch works like any other 
task switch once the TSS selector is fetched 
from the task gate. Like a trap or an inter- 
rupt gate, privilege and presence rules are 
applied to accessing a task gate during an 
interrupt. 


Interrupts that cause a task switch set the NT 
bit in the flags of the new task. The TSS 
selector of the interrupted task is saved in the 
back link field of the new TSS. The inter- 
rupting task executes IRET to perform a task 
switch to return to the interrupted task 
because NT was previously set. The interrupt 
task state is saved in its TSS before returning 
control to the task that was interrupted; NT 
is restored to its original value in the inter- 
rupted task. 


Since the interrupt handler state after 
executing IRET is saved, a re-entry of the 
interrupt service task will result in the execu- 
tion of the instruction that follows IRET. 
Therefore, when the next interrupt occurs, the 
machine state will be the same as that when 

the IRET instruction was executed. | 


interrupt and Gate Interactions 


Type of Type of Further Further Further Further software 
interrupt Gate NMIs? INTRs? Exceptions? Interrupts? 


NMI 
NMI 


Trap 
Interrupt 
Trap 
Interrupt 
Trap 
Interrupt 
Trap 
Interrupt 


INTR 
INTR 
Software 
Software 
Exception 
Exception 
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Note that an interrupt task resumes execu- 
tion each time it is re-invoked, whereas an 
interrupt procedure starts executing at the 
beginning of the procedure each time. The 
interrupted task restarts execution at the point 
of interruption because interrupts occur before 
the execution of an instruction. 


When an interrupt task is used, the task must 
be concerned with avoiding further interrupts 
while it is operating. A general protection 
exception will occur if a task gate referring to 
a busy TSS is used while processing an inter- 
rupt. If subsequent interrupts can occur while 


the task is executing, the IF bit in the flag 


word Cree in the TSS) must be : Zero. 


9.5. 1 Scheduling Considerations 


A software-scheduled operating system must 
be designed to handle the fact that interrupts 
can come along in the middle of scheduled 
tasks and cause a task switch to other tasks. 
The interrupt-scheduled tasks may call the 
operating system and eventually the schedu- 
ler, which needs to recognize that the task that 
just called it is not the one the operating 
system last scheduled. 


If the Task Register (TR) does not contain 
the TSS selector of the last scheduled task, 
an interrupt initiated task. switch has 
occurred. More than one task may have been 
interrupt-scheduled since the scheduler last 
ran. The scheduler must find via the backlink 
fields in each TSS all tasks that have been 
interrupted. The scheduler can’ clear those 


links and reset the busy bit in the TSS 


descriptors, putting them back in the sched- 
uling queue for a new analysis of execution 
priorities. Unless the interrupted tasks are 
placed back in the scheduling queue, they 
would have to await a later restart via the task 
that interrupted them. 


To locate tasks that have been interrupt- — 


scheduled, the scheduler looks into the current 
task’s TSS backlink (word one of the TSS), 


which points at the interrupted task. If that 
task was not the last task scheduled, then it’s 
backlink field in the TSS also ee to an 
interrupted task. | | 


The backlink field of each ieprapieeeneduled 
task should be set by the scheduler to point 
to a scheduling task that will reschedule the 
highest priority task when the interrupt- 
scheduled task executes IRET. 


9.5.2 Deciding Between Task, TaD and 
Interrupt Gates. 


Interrupts and exceptions can be nandied with 
either a trap/interrupt gate or a task gate. 
The advantages of a task gate are all the 
registers are saved and a new set is loaded 
with full isolation between the interrupted 
task and the interrupt handler. The advan- 
tages of a trap/interrupt gate are faster 
response to an interrupt for simple operations 
and easy access to pointers in the context of 
the interrupted task. All interrupt handlers 
use IRET to resume the interrupted program. 


Trap/interrupt gates require that the inter- 
rupt handler be able to execute at the same 
or greater privilege level than the interrupted 
program. If any program executing at level 0 
can be interrupted through a trap/task gate, 
the interrupt handler. must also execute at 
level 0 to avoid general protection exception. 
All code, data, and stack segment descriptors 
must be in the GDT to allow access from any 
task. But, placing all system interrupt 
handlers at privilege level 0 may be in 
consistent with maintaining the integrity of 
level 0 programs. 


Some exceptions require the use of a task 
gate. The invalid task state segment excep- 
tion (#10) can arise from errors in the origi- 
nal TSS as well as in the target TSS. 
Handling the exception within the same task 
could lead to recursive interrupts or other 


undesirable effects that are difficult to trace. 
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The double fault exception (#8) should also 
use a task gate to prevent shutdown from 
another protection violation occurring during 
the servicing of the exception. 


9.6 PROTECTION EXCEPTIONS AND 
RESERVED VECTORS 


A protection violation will cause an excep- 
tion, i.e., a non-maskable interrupt. Such a 
fault can be handled by the task that caused 
it if an interrupt or trap gate is used, or by a 
different task if a task gate is used (in the 
IDT). 


Protection exceptions can be classified into 
program errors or implicit requests for service. 
The latter include stack overflow and not- 
present faults. Examples of program errors 
include attempting to write into a read-only 
segment, or violating segment limits. 


Requests for service may use different inter- 
rupt vectors, but many diverse types of 
protection violation use the same general 
protection fault vector. Table 9-3 shows the 
reserved exceptions and interrupts. Interrupts 
0-31 are reserved by Intel. 


When simultaneous external interrupt 
requests occur, they are processed in the fixed 
order shown in table 9-4. For each interrupt 
serviced, the machine state is saved. The new 
CS:IP is loaded from the gate or TSS. If other 
interrupts remain enabled, they are processed 
before the first instruction of the current 
interrupt handler, i.e., the last interrupt 
processed is serviced first. 


All but two exceptions are restartable after 
the exceptional condition is removed. The two 
non-restartable exceptions are the processor 
extension segment overrun and writing into 
read only segments with XCHG, ADC, SBB, 
RCL, and RCR instructions. The return 
address normally points to the failing instruc- 
tion, including all leading prefixes. 


The instruction and data addresses for the 
processor extension segment overrun are 
contained in the processor extension status 
registers. 


Interrupt handlers for most exceptions receive 
an error code that identifies the selector 
involved, or a 0 in bits 15-3 of the error code 


Table 9-3. Resenved Exceptions and Interrupts 


Vector Error Code 


Divide Error Exception 
Single Step Interrupt 
NMI Interrupt 
Breakpoint Interrupt 


Invalid Opcode Exception 


Double Exception Detected 


Invalid Task State Segment 
Segment Not Present 


0 
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 


General Protection 


INTO Detected Overflow Exception 
BOUND Range Exceeded Exception 


Processor Extension Segment Overrun Interrupt . | No 


Stack Segment Overrun or Not Present 


a 
No 
No 
No 
No 
No 


Processor Extension Not Available Exception | No 


Yes (Always 0) 


Yes 
Yes 
Yes 
Yes 


“ Except for writes into read-only segments (See section 9.6) 
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Table 9-4. Interrupt Processing Order 


Instruction exception — 
Single step 

NMI : 
Processor extension segment overrun 
INTR | 


field if there is no selector involved. The error 
code is pushed last, after the return address, 
on the stack that will be active when the trap 
handler begins execution. This ensures that 
the handler will not have to access another 
stack segment to find the error code. 


The following sections describe the excep- 


tions in greater detail. 


9.6.1 Invalid OP-Code (Interrupt 6) 


When an invalid opcode is detected by the 
execution unit, interrupt 6 is invoked. (It is 
not detected until an attempt is made to 
execute it, i.e., prefetching an invalid opcode 
does not cause this exception.) The saved 
CS:IP will point to the invalid opcode or any 
leading prefixes; no error code is pushed on 
the stack. The exception can be handled 
within the same task, and is restartable. 


This exception will occur for all cases of an 
invalid operand. Examples include an inter- 
segment jump referencing a register operand, 
or an LES instruction with a register source 
operand. This exception can also occur 
because redundant prefixes have been placed 
before an instruction so that the total length 
of the instruction exceeds 10 bytes. 


9.6.2 Double Fault (Interrupt 8) 


If two separate protection violations occur 
during a single instruction, exception 8 
(Double Fault) occurs (e.g., a general protec- 
tion fault in level 3 is followed by a not- 
present fault due to a segment not-present). 


} Order Interrupt | | a 


If another protection violation occurs during 
the processing of exception 8, the iAPX 286 
enters shutdown, during which time no further 


instructions or exceptions are processed. 


Either NMI or RESET can force the CPU 
out of shutdown. An NMI input can bring the 
CPU out of shutdown if no errors occur while 
processing the NMI interrupt; otherwise, 
shutdown can only be exited via the RESET 
input. NMI causes the CPU to remain in 
protected mode, and RESET causes it to exit 
protected mode. Shutdown is signaled exter- 
nally via a HALT bus operation with Al 
LOW. 


A task gate must be used for the double fault 
handler to assure a proper task state to 
respond to the exception. The back link field 
in the current TSS will identify the TSS of 
the task causing the exception. The saved 
address will point at the instruction that was 
being executed (or was ready to execute) 
when the error was detected. The error code 
will be null. | 


9.6.3 Processor Extension Segment 
Overrun (Interrupt 9) 


Interrupt 9 signals that the processor exten- 
sion (such as the 80287 numerics processor) 
has overrun the limit of a segment while 
attempting to read/write the second or subse- 
quent words of an operand. The interrupt is 
generated by the processor extension data 
channel within the 80286 during the limit test 
performed on each transfer of data between 


memory and the processor extension. This 


interrupt can be handled in the same task but 


~ is not restartable. 


As with all external interrupts, Interrupt 9 is 
an asynchronous demand caused by the 
processor extension referencing something 
outside a segment boundary. Since Interrupt 
9 can occur any time after the processor 
extension is started, the 80286 does not save 
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any information that identifies what particu- 
lar operation had been initiated in the proces- 
sor extension. The processor extension 
maintains special registers that identify the 
last instruction it executed and the address of 
the desired operand. 


After this interrupt occurs, no WAIT or 
escape instruction, except FNINIT, can be 
executed until the interrupt condition is 
cleared or the processor extension is reset. The 
interrupt signals that the processor extension 
is requesting an invalid data transfer. The 
processor extension will always be busy when 
__ Waiting on data. Deadlock results if the CPU 
executes an instruction that causes it to wait 
for the processor extension before resetting the 
processor extension. Deadlock means the CPU 
is waiting for the processor extension to 
become idle while the processor extension 
waits for the CPU to service its data request. 


The FNINIT instruction is guaranteed to 
reset the processor extension without causing 
deadlock. After the interrupt is cleared, this 
restriction is lifted. It is then possible to read 
the instruction and operand address via 


FSTENV or FSAVE, causing the segment 
overrun in the processor extension’s special 
registers. 


The task interrupted by interrupt 9 is not 
necessarily the task that executed the ESC 
instruction that caused the interrupt. The 
operating system should keep track of which 
task last used the NPX (see section 11.4). If 
the interrupted task did not execute the ESC 
instruction, it can be restarted. The task that 
executed the ESC instruction cannot. 


9.6.4 Invalid Task State Segment 
(Interrupt 10) 


Interrupt 10 is invoked if during a task switch 
the new TSS pointed to by the task gate is 
invalid. The EXT bit indicates whether the 
exception was caused by an event outside the 
control of the program. | 


A TSS is considered invalid in the cases shown 
in table 9-5. 


Once the existence of the new TSS is verified, 
the task switch is considered complete, with 


Table 9-5. Conditions That Invalidate the TSS 


The limit in the TSS descriptor is less than 43 


Invalid LDT selector or LDT not present 


Stack segment selector is outside table limit 


Stack segment is not a writable segment . 


Stack segment DPL does not match new CPL 


Stack segment selector RPL#CPL 
Code segment selector is outside table limit 


_ Code segment selector does not refer to code segment 


Non-conforming code segment DPL#CPL 
Conforming code segment DPL>CPL 


DS or ES segment selector is outside table limits 


DS or ES are not readable segments 


TSS id + EXT 
LDT id + EXT 
SS id + EXT 
SS id + EXT 

 §$Sid + EXT 
SS id + EXT 
CS id + EXT 
CS id + EXT 
CS id + EXT 
CS id + EXT 
ES/DS id + EXT 
ES/DS id + EXT 
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the backlink set to the old task if necessary. 
All errors are handled in the context of the 
new task, 


Exception 10 must use a task gate to insure a 
proper TSS to process it. 


9.6.5 Not Present (Interrupt 11) 


Exception 11 occurs when an attempt is made 
to load a not-present segment or to use a 
control descriptor that is marked not-present. 
(If, however, the missing segment is an LDT 
that is needed in a task switch, exception 10 
occurs.) This exception is fully restartable. 


Any segment load instruction can cause this 
exception. Interrupt 11 is always processed in 
the context of the task in which it occurs. 


The error code has the form shown in figure 
9-5. The EXT bit will be set if an event exter- 
nal to the program caused an interrupt that 
subsequently referenced a _ not-present 
segment. Bit | will be set if the error code 
refers to an IDT entry, e.g., an INT instruc- 
tion referencing a not-present gate. The upper 
14 bits are the upper 14 bits of the segment 
selector involved. 


When a not-present exception occurs, the ES 
and DS segment registers may not be usable 
for referencing memory. During a task switch, 
the selector values are loaded before the 
descriptors are checked. The not-present 
handler should not rely on being able to use 
the values found in CS, ES, SS, and DS 
without causing another exception. 


9.6.6 Stack Fault (Interrupt 12) 


Stack underflow or overflow causes exception 


12, as does a not-present stack segment refer- 
enced during an inter-task or inter-level 
transition. This exception is fully restartable. 
A limit violation of the current stack results 
in an error.code of 0. The EXT bit of the error 


code tells whether an interrupt external to the 
program caused the exception. 


Any instruction that loads a selector to SS 
(e.g., POP SS, task switch) can cause this 
exception. This exception must use a task gate 
if there is a possibility that any level 0 stack 
may not be present. 


When a stack fault occurs, the ES anid DS 
segment registers may not be usable for 
referencing memory. During a task switch, the 
selector values are loaded before the descrip- 
tors are checked. The stack fault handler 
should check the saved values of SS, CS, DS, 
and ES to be sure that they refer to present 
segments before restoring them. 


9.6.7 General Protection Fault 
(Interrupt 13) — 


If-a protection violation occurs which is not 
covered in the preceding paragraphs, it is 
classed as Interrupt 13, a general protection 
fault. The error code is zero for limit viola- 
tions, write to read-only segment violations, 
and accesses relative to DS or ES when they 
are zero or refer to a segment at a greater 
privilege level than CPL. Other access viola- 
tions (e.g., a wrong descriptor type) push a 
non-zero error code that identifies the selec- 
tor used on the stack. Error codes with bit 0 
cleared and bits 15-2 non-zero indicate a 
restartable condition. | 


Bit 1 of the error code identifies whether the 
selector is in the IDT or LDT/GDT. If bit 


-1=0 then bit 2 separates LDT from GDT. 


Bit 0 (EXT) indicates whether the exception 
was caused by the program or an event exter- 
nal to it (ie., single stepping, an external 
interrupt, a processor extension not-present or 
a segment overrun). If bit 0 is set, the selec- 
tor typically has nothing to do with the 
instruction that was interrupted. The selector 
refers instead to some step of servicing an 
interrupt that failed. 
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When bit 0 of the error code is set, the inter- 
rupted program can be restarted, except for 
processor extension segment overrun excep- 
tions (see section 9.6.3). The exception with 
the bit 0 of the error code =1 indicates some 
interrupt has been lost due to a fault in the 
descriptor pointed to by the error code. 


A non-zero error code with bit 0 cleared may 
be an operand of the interrupted instruction, 
an operand from a gate referenced by the 
instruction, or a field from the invalid TSS. 


In Real Address Mode, Interrupt 13 will 
occur if software attempts to read or write a 
16-bit word at segment offset OFFFFH. 


9.7 ADDITIONAL EXCEPTIONS AND 
INTERRUPTS 


Interrupts 0, 5, and 1 have not yet been 
discussed. Interrupt 0 is the divide-error 
exception, Interrupt 5 the bound-range 
exceeded exceptions, and Interrupt | the 
single step interrupt. The divide-error or 
bound-range exceptions make it appear as if 
that instruction had never executed: the 
registers are restored and the instruction can 
be restarted. The divide-error exception occurs 
during a DIV or an IDIV instruction when 
the quotient will be too large to be represent- 
able, or when the divisor is zero. 


Interrupt 5 occurs when a value exceeds the 
limit set for it. A program can use the 
BOUND instruction to check a signed array 
index against signed limits defined in a two- 
word block of memory. The block can be 
located just before the array to simplify 
addressing. The block’s first word specifies the 
array’s lower limit, the second word specifies 
the array’s upper limit, and a register speci- 
fies the array index to be tested. 


9-13 


9.7.1 Single Step Interrupt (Interrupt 1) 


Interrupt 1 allows programs to execute one 
instruction at a time. This single-stepping is 
controlled by the TF bit in the flag word. 
Once this bit is set, an internal single step 
interrupt will occur after the next instruction 
has been executed. The interrupt saves the 
flags and return address on the stack, clears 
the TF bit, and uses an internally supplied 
vector of 1 to transfer control to the service 
routine via the IDT. 


The IRET instruction or a task switch must 
be used to set the TF bit and to transfer 
control to the next instruction to be single 
stepped. If TF=1 in a TSS and that task is 
invoked, it will execute the first instruction 
and then be interrupted. 


The single-step flag is normally not cleared 
by privilege changes inside a task. INT 
instructions, however, do clear TF. There- 
fore, software debuggers that single-step code 
must recognize and emulate INT n or INT 0 
rather than executing them directly. System 
software should check the current execution 
privilege level after any single step interrupt 
to see whether single stepping should continue. 


The interrupt priorities in hardware guaran- 
tee that if an external interrupt occurs, single 
stepping stops. When both an external inter- 
rupt and a single step interrupt occur together, 
the single step interrupt is processed first. This 
clears the TF bit. After saving the return 
address or switching tasks, the external inter- 
rupt input is examined before the first 
instruction of the single step handler executes. 
If the external interrupt is still pending, it is 
then serviced. The external interrupt handler 
is not single-stepped. Therefore, to single step 
an interrupt handler, just single step an inter- 
rupt instruction that refers to the interrupt 
handler. 


System Control And 
Initialization 


CHAPTER 10 
SYSTEM CONTROL AND INITIALIZATION 


Special flags, registers, and instructions 
provide contol of the critical processes and 
interaction in iAPX 286 operations. The flag 
register includes 3 bits that represent the 
current I/O privilege level (IOPL: 2 bits) and 
the nested task bit (NT). Four additional 
registers support the virtual addressing and 
memory protection features, one points to the 
current Task State Segment and the other 
three point to the memory-based descriptor 
‘tables: GDT, LDT, and IDT. These flags and 
registers are discussed in the next section. The 
machine status word, (which indicates 
processor configuration and status) and the 
instructions that load and store it are 
discussed in section 10.2.2. 


Similar instructions pertaining to the other 
registers are the subject of sections 10.2 and 
10.3. A detailed description of initialization 
states and processes, which appears in section 
10.4, is supplemented by the extensive 
example in Appendix A. Instructions that 
validate descriptors and pointers are covered 
in section 11.3. 


10.1 SYSTEM FLAGS AND REGISTERS | 


The IOPL flag (bits 12 and 13 of the flags 
word) controls access to I/O operations and 
interrupt control instructions. These two bits 
represent the maximum privilege level 
(highest numerical CPL) at which the task is 
permitted to perform I/O instructions. Alter- 
ation of the IOPL flags is restricted to 
programs at level 0 or to a task switch. 


IRET uses the NT flag to select the proper 
return: if NT =O, the normal return within a 
task is performed. As discussed in Chapter 8, 
the nested task flag (bit 14 of flags) is set 
when a task initiates a task switch via a 


when a task initiates a task switch via a 
CALL or INT instruction. The old and new 
task state segments are marked busy and the 
backlink field of the new TSS is set to the old 
TSS selector. An interrupt that does not cause 
a task switch will clear NT after the old NT 
state is saved. To prevent a program from 
causing an illegal task switch by setting NT 
and then executing IRET, a zero selector 
should be placed in the backlink field of the 
TSS. An illegal task switch using IRET will 
then cause exception 13. The instructions 
POPF and IRET can also set or clear NT 
when flags are restored from the stack. POPF 
and IRET can also change the interrupt 
enable flag. If CPL < JOPL, then the Inter- 
rupt Flag (IF) can be changed by POPF and 
IRET. Otherwise, the state of the IF bit in 
the new flag word is ignored by these instruc- 
tions. Note that the CLI and STI instructions 
are valid only when CPL < IOPL; otherwise 


exception 13 occurs. 


10.1.1 Descriptor Table Registers 


The three descriptor tables used for all 
memory accesses are based at addresses 
supplied by (stored in) three registers: the 
global descriptor table register (GDTR), the 
interrupt descriptor table register (IDTR), 
and the local descriptor table register 
(LDTR). Each register contains a 24-bit base 
field and a 16-bit limit field. The base field 
gives the real memory address of the begin- 
ning of the table; the limit field tells the 
maximum offset permitted in accessing table 
entries. See figures 10-1 thru 10-3. 


The LDTR also contains a selector field that 
identifies the descriptor for that table. LDT 
descriptors must reside in the GDT. 


The task register (TR) points to the task state 
segment for the currently active task. It is 
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similar to a segment register, with selector, 
base, and limit fields, of which only the selec- 
tor field is readable under normal circum- 
stances. Each such selector serves as a unique 
identifier for its task. The uses of the TR are 
described in Chapter 8. 


The instructions controlling these special 
registers are described in the next section. 


10.2 SYSTEM CONTROL INSTRUCTIONS 


The instructions that load the GDTR and 
IDTR from memory can only be executed in 
real address mode or at privilege level 0; 
otherwise exception 13 occurs. The store 
instructions for GDTR and IDTR may be 
executed at any privilege level. The four 
instructions are LIDT, LGDT, SIDT, and 
SGDT. The instructions move 3 words 
between the indicated descriptor table regis- 
ter and the effective real memory address 
supplied (see figure 10-3). The format of the 
3 words is: a 2-byte limit, a 3-byte real base 
address, followed by an unused byte. These 
instructions are normally used during system 
initialization. 

The LLDT instruction loads the LDT regis- 
ters from a descriptor in the GDT. LLDT uses 
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a selector operand to that descriptor rather 
than referencing the descriptor directly. 
LLDT is only executable at privilege level 0; 
otherwise exception 13 occurs. LLDT is 
normally required only during system initial- 
ization because the processor automatically 
exchanges the LDTR contents as part of the 
task-switch operation. 


Executing an LLDT instruction does not 
automatically update the TSS or the register’ 
caches. To properly change the LDT of the 
currently running task so that the change 
holds across task switches, you must perform, 
in order, the following three steps: 


1. Store the new LDT selector into the 
appropriate word of TSS. 


2. Load the new LDT selector into LDTR. 


3. Reload the DS and ES registers if they 
refer to LDT-based descriptors. 


Note that the current code segment and stack 
segment descriptors should reside in the GDT 
or be copied to the same location in the new 
LDT. 


SLDT (store LDT) can be executed at any 
privilege level. SLDT stores the local descrip- 
tor table selector from the program visible 
portion of the LDTR register. 


Task Register loading or storing is again ~ 
similar to that of the LDT. The LTR instruc- 
tion, operating only at level 0, loads the LTR 
at initialization time with a selector for the 
initial TSS. LTR does NOT cause a task 
switch; it just changes the current TSS. Note 
that the busy bit of the old TSS descriptor is 
not changed while the busy bit of the new TSS 
selector must be zero and will be set by LTR. 
The LDT and any segment registers referring 
to the old LDT should be reloaded. STR, 
which permits the storing of TR contents into 
memory, can be executed at any privilege 
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level. LTR is not usually needed after initial- 
ization because the TR is managed by the 
task-switch operation. 


10.2.2 Machine Status Word 


The Machine Status Word (MSW) indicates 
the iAPX 286 configuration and status. It is 
not part of a task’s state. The MSW word is 
loaded by the LMSW instruction executed in 
real address mode or at privilege level 0 only, 
or is stored by the SMSW instruction execut- 
ing at any privilege level. MSW is a 16-bit 
register, the lower four bits of which are used 
by the iAPX 286. These bits have the 
meanings shown in table 10-1. Bits 15-4 of 
the MSW will be used by the iAPX 386. 
iAPX 286 software should not change these 
bits. If the bits are changed by the 286 


Table 10-1. MSW Bit Functions 


‘Bit 
Position 


Protected mode enable places 
the 80286 into protected mode 
and cannot be cleared except by 
RESET. 


Monitor processor extension 
allows WAIT instructions to cause 
a processor extension not- 
present exception (number 7) if 
TS is also set. 


Emulate processor extension 
causes a processor extension 
not-present exception (number 7) 
on ESC instructions to allow a 
processor extension to be 
emulated. 


Task switched indicates the next 
instruction using a processor 
extension will cause exception 7, 
allowing software to test whether 
the current processor extension 
context belongs to the current 
task. 
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software, compatibility with the iAPX 386 
will be destroyed. 


The TS flag is set under hardware control and 
reset under software control. Once the TS flag 
is set, the next instruction using a processor 
extension causes a processor extension not- 
present exception (#7). This feature allows 
software to test whether the current proces- 
sor extension state belongs to the current task 
as discussed in section 11.4. If the current 
processor extension state belongs to a differ- 
ent task, the software can save the state of 
any processor extension with the state of the 
task that uses it. Thus, the TS bit protects a 
task from processor extension errors that 
result from the actions of a previous task. 


The CLTS instruction is used to reset the TS 
flag after the exception handler has set up the 
proper processor extension state. The CLTS 
instruction can be executed at privilege level 
0 only. 


The EM flag indicates a processor extension 
function is to be emulated by software. If 
EM=+1 and MP=0, all ESCAPE instruc- 
tions will be trapped via the processor exten- 
sion not-present exception (#7). 


MP flag tells whether a processor extension 
is present. If MP=1 and TS=1, escape and 
wait instructions will cause exception 7. 


The PE flag indicates that the iAPX 286 is. 
in the protected virtual address mode. Once 
the PE flag is set, it can be cleared only by a 
reset, which then puts the system in real 


address mode emulating the 8086. 


Table 10-2 shows the recommended usage of 
the MSW. Other encodings of these bits are 
not recommended. 
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Table 10-2. Recommended MSW Encodings for Processor Extension Control 


Recommended Use 


Instructions 
Causing 
Exception 


Initial encoding after RESET. iAPX 286 operation is identical to iAPX 


No processor extension is available. Software will emulate its 
function. Wait instructions do not cause exception 7. 


No processor extension is available. Software will emulate its 
function. The current processor extension context may belong to 


another task. 


A processor extension exists. The current processor extension 
context may belong to another task. The exception on WAIT allows 
software to test for an error pending from a previous processor 


extension operation. 


10.2.3 Other Instructions 


Instructions that verify or adjust access rights, 
segment limits, or privilege levels can be used 
to avoid exceptions or faults that are correct- 
able. Section 10.3 describes such instructions. 


10.3 PRIVILEGED AND TRUSTED 
INSTRUCTIONS 


Instructions that execute only at CPL=0 are 
called “privileged.” An attempt to execute the 
privileged instructions at any other privilege 
level causes a general protection exception 
(#13) with an error code of zero. The privi- 
leged instructions manipulate descriptor tables 
or system registers. Incorrect use of these 
instructions can produce unrecoverable 
conditions. Some of these instructions 
(LGDT, LLDT, and LTR) are See in 
section 10.2. | 


Other privileged instructions are: 

e LIDT—Load interrupt descriptor table 
register 

@ LMSW—Load machine status word 
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e CLTS—Clear task switch flag 


HALT—Halt processor execution 


POPF (POP flags) or IRET can change 
the IF value only if the user is operating 
at a trusted privilege level. POPF does not 
change IOPL except at Level 0. 


‘“Trusted”’ instructions are restricted to 
execution at a privilege level of CPL = IOPL. 
For each task, the operating system defines a 
privilege level below which these instructions 
cannot be used. Most of these instructions 
deal with input/output or interrupt manage- 
ment. The IOPL field in the flag word that 
holds the privilege level limit can be changed 
only when CPL=0. The trusted instructions 
are: 


@ Input/Output—Block I/O, Input, and 
Output: IN, INW, OUT, OUTW, INSB, 
INSW, OUTSB, OUTSW 


@ Interrupts—Enable Interrupts, Disable 
Interrupts: STI, CLI 


@® Other—Lock Prefix 
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10.4 INITIALIZATION 


Whenever the iAPX 286 is initialized or reset, 
certain registers are set to predefined values. 
All additional desired initialization must be 
performed by user software. (See Appendix 
A for an example of a 286 initialization 
routine.) RESET forces the iAPX 286 to 
terminate all execution and local bus activity; 
no instruction or bus action will occur as long 
as RESET is active. Execution in real address 
mode begins after RESET becomes inactive 
and an internal processing interval (3-4 
clocks) occurs. The initial state at reset is: 


FLAGS = 0002 
MSW = FFFOH 

IP = FFFOH 

CS Selector = FOOOH 
DS Selector = 0000H 
ES Selector = 0000H 
IDT base = 000000H 


CS.base = FFOO00H CS. limit = FFFFH 

_ DS.base = 000000H DS.limit = FFFFH 
ES.base = 000000H ES. limit = FFFFH 
IDT. limit = 03FFH 


Two fixed areas of memory are reserved: the 
system initialization area and the interrupt 
table area. The system initialization area 
begins at FFFFFOH (through FFFFFFH) 
and the interrupt table area begins at 
-000000H (through 0003FF H). The interrupt 
table a area is not reserved. 


At this point, segment registers are valid and 
protection bits are set to 0. The iAPX 286 
begins operation in real address mode, with 
PE=0O. Maskable interrupts are disabled, and 
no processor extension is assumed or emulated 
(EM=MP=0). 


DS, ES, and SS are initialized at reset to 
allow access to the first 64K of memory 
(exactly as in the 8086). The CS:IP combi- 
nation specifies a starting address of 
FFFFOH. For real address mode, the four 
most significant bits are not used, providing 
the same FFFOH address as the 8086 reset 
location. Use of (or upgrade to) the protected 
mode can be supported by a bootstrap loader 
at the high end of the address space. As 


mentioned in Chapter 5, location FFFOH 


ordinarily contains a JMP instruction whose 


target is the actual beginning of a system 


- initialization or restart program. 
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After RESET, CS points to the top 64K bytes 
in the 16-Mbyte physical address space. 
Reloading CS register by a control transfer 
to a different code segment in real address 
mode will put zeros in the upper 4 bits. Since 
the initial IP is FFFOH, all of the upper 64K 
bytes of address space may be used for 
initialization. 


Sections 10.4.1 and 10.4.2 describe the steps 
needed to initialize the iAPX286 in the real 
address mode and the protected mode, 
respectively. 


10.4.1 Real Address Mode 


1. Allocate a stack. 


2. Load programs and data into memory 
from secondary storage. | 


3. Initialize external devices and the 
Interrupt Vector Table. 


4. Set registers and MSW bits to desired 
values. 


5. Set FLAG bits to desired values— 

including the IF bit to enable inter- 

- rupts—after insuring that a valid inter- 

rupt handler exists for each possible 
interrupt. | | 


6. Execute (usually via an inter-segment 
JMP to the main system program). 


10.4.2 Protected Mode 


The full iAPX 286 virtual address mode 
initialization procedure requires additional 
steps to operate correctly: | 


1. Load programs and associated Cee ie! 
tables. : 


10. 
11. 
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. Load valid GDT and IDT descriptor 


tables, setting the GDTR and IDTR to 
their correct value. 


. Set the PE bit to enter protected mode. 


. Execute an intra-segment JMP to clear 


the processor queues. 


. Load or construct a valid task state 


segment for the initial task to be executed 
in protected mode. 


. Load the LDTR selector from the task’s 


GDT or 0000H (null) if an LDT is not 
needed. 


. Set the stack pointer (SS, SP) to a valid 


location in a valid stack segment. 


. Mark all items not in memory as 


not-present. 


. Set FLAGS and MSW bits to correct 


values for the desired 


configuation. 


system 


Initialize external devices. 


Ensure that a valid interrupt handler 
exists for each possible interrupt. 
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12. Enable interrupts. 


13. Execute. 


The example in Appendix A shows the steps 
necessary to load all the required tables and 
registers that permit execution of the first task 
of a protected mode system. The program in 
Appendix A assumes that Intel development 
tools have been used to construct a prototype 
GDT, IDT, LDT, TSS, and all the data 
segments necessary to start up that first task. 
Typically, these items are stored on EPROM; 
on most systems it 1s necessary to copy them 
all into RAM to get going. Otherwise, the 
iAPX 286 will attempt to write into the 
EPROM to set the accessed or busy bits. 


The example in Appendix A also illustrates 
the ability to allocate unused entries in 
descriptor tables to grow the tables dynami- 
cally during execution. Using suitable naming 
conventions, the builder can allocate alias data 
segments that are larger than the prototype 
EPROM version. The code in the example 
will zero out the extra entries to permit later 
dynamic usage. 
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CHAPTER 11 
ADVANCED TOPICS 


This chapter describes some of the advanced 
topics as virtual memory management, 
restartable instructions, special segment 
attributes, and the validation of descriptors 
and pointers. 


11.1. VIRTUAL MEMORY MANAGEMENT 


When access to a ‘segment is requested and 
the access byte in its descriptor indicates the 
segment is not present in real memory, the 
not-present fault occurs (exception 11, or 12 
for stacks). The handler for this fault can be 
set up to bring the absent segment into real 
memory (swapping or overwriting another 


segment if necessary), or to terminate execu- — 


tion of the requesting program if this is not 
possible. 


The accessed bit (bit 0) of the access byte is 
provided in both executable and data segment 
descriptors to support segment usage profil- 
ing. Whenever the descriptor is accessed by 
the iAPX 286 hardware, the A-bit will be set 
in memory. This applies to selector test 
instructions (described below) as well as to the 
loading of a segment register. The reading of 
the access byte and the restoration of it with 
the A-bit set is an indivisible operation, i.e., 
it is performed as a read-modify-write with 
bus lock. If an operating system develops a 
profile of segment usage over time, it can 
recognize segments of low or zero access and 
choose among these candidates for 
replacement. 


When a not-present segment is brought into 
real memory, the task that requested access 
to it can continue its execution because all 
instructions that load a segment register are 
restartable. 


Not-present exceptions occur only on segment 
register load operations, gate accesses, and 


task switches. The saved instruction pointer 
refers to the first byte of the violating 
instruction. All other aspects of the saved 
machine state are exactly as they were before 
execution of the violating instruction began. 
After the fault handler clears up the fault 
condition and performs an IRET, the program 
continues to execute. The only external 
indication of a segment swap is the additional 
execution time. 


11.2 SPECIAL SEGMENT ATTRIBUTES 


11.2.1 Conforming Code Segments 


Code segments intended for use at potentially 
different privilege levels need an attribute that 
permits them to emulate the privilege level of 
the calling task. Such segments are termed 
‘conforming’ segments. Conforming 
segments are also useful for interrupt-driven 
error routines that need only be as privileged 
as the routine that caused the error. 


A conforming code segment has bit 2 of its 
access byte set to 1. This means it can be 
referenced by a CALL or JMP instruction in 
a task of equal or lesser privilege, 1.e., CPL of 
the task is numerically greater than or equal 
to DPL of this segment. CPL does not change 
when executing the conforming code segment. 
A conforming segment continues to use the 
stack from the CPL. This is the only case in 
which the DPL of a code segment can be 
numerically less than the CPL. If bit 2 is a 0, 
the segment is not conforming and can be 
referenced only by a task of CPL=DPL. 


Inter-segment Returns that refer to conform- 
ing code segments use the RPL field of the 
code selector of the return address to deter- 
mine the new CPL. The RPL becomes the 
new CPL if the conforming code segment 
DPL=RPL. 
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If a conforming segment is readable, it can be 
read from any privilege level without restric- 
tion. This is the only exception to the protec- 
tion rules. This allows constants to be stored 
with conforming code. For example, a read- 
only look-up table: can be embedded in a 
conforming code segment that can be used to 
convert system-wide logical ID’s into charac- 
ter strings that represent those logical entities. 


11.2.2 Expand-Down Data Segments 


If bit 2 in the access byte of a data segment 
is 1, the segment is an expand-down segment. 
All the offsets that reference such a segment 
must be strictly greater than the segment 
limit, as opposed to normal data segments (bit 
2=0) where all offsets must be less than or 
equal to the segment limit. Figure 11-1 shows 
an expand-down segment. 


The size of the expand down segment can be 
changed by changing either the base or the 
limit. An expand down segment with 
Limit=0 will have a size of 2'°—1 bytes. 
With a limit value of FFFFH, the expand 
down segment will have a size of 0 bytes. In 
an expand down segment, the base + offset 
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Figure 11-1. Expand-Down Segment 


~ value should always be greater than the base 


+ limit value. Therefore, a full size segment 
(2'° bytes) can only be obtained by using an 
expand up segment. 


The operating system should check the 
Expand-Down bit when a protection fault 
indicates that the limit of a data segment has 
been reached. If the Expand-Down bit is not 
set, the operating system should increase the 
segment limit; if it is set, the limit should be 
lowered. This supplies more room in either 
case (assuming the segment is not write- 
protected, i.e., that bit 1 is not 0). In some 
cases, if the operating system can ascertain 
that there is not enough room to expand the 
data segment to meet the need that caused 
the fault, it can move the data segment to a: 
region of memory where there is enough 
room. See figure 11-2. 


11.3 POINTER VALIDATION 


Pointer validation is an important part of 
locating programming errors. Pointer valida- 
tion is necessary for maintaining isolation 
between the privilege levels. Pointer valida- 
tion consists of the following steps: 


1. Check if the supplier of the pointer is 
— entitled to access the segment. 


2. Check if the segment type is appropriate 
to its intended use. 


3. Check if the pointer violates the segment 
limit. 


The iAPX 286 hardware automatically 
performs checks 2 and 3 during instruction 
execution, while software must assist in 
performing the first check. This point is 
discussed in section 11.3.2. Software can 
explicitly perform steps 2 and 3 to check for 
potential violations (rather than causing an 
exception). The unprivileged instructions 
LSL, LAR, VERR, and VERW are provided 
for this purpose. | | 
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Figure 11-2. Dynamic Segment Relocation and Expansion of Segment Limit 


The load access rights (LAR) instruction 
obtains the access rights byte of a descriptor 
pointed to by the selector used in the instruc- 
tion. If that selector is visible at the CPL, the 
instruction loads the access byte into the 
specified destination register as the higher 
byte (the low byte is zero) and the zero flag 
is set. Once loaded, the access bits can be 


tested. System segments such as a task state 


segment or a descriptor table cannot be read 
or modified. This instruction is used to verify 
that a pointer refers to a segment of the 
proper privilege level and type. If the RPL or 
CPL is greater than DPL, or the selector is 
outside the table limit, no access value is 
returned and the zero flag is cleared. 
Conforming code segments may be accessed 
from any RPL or CPL. 


Additional parameter checking can be 
performed via the load segment limit (LSL) 
instruction. If the descriptor denoted by the 
given selector (in memory or a register) is 


visible at the CPL, LSL loads the specified. 


register with a word that consists of the limit 
field of that descriptor. This can only be done 
for segments, task state segments, and local 


descriptor tables (i.e., words from control 
descriptors are inaccessible). Interpreting the 
limit is a function of the segment type. For 
example, downward expandable data 
segments treat the limit differently than code 
segments do. = 


For both LAR and LSL, the zero flag (ZF) 
is set if the loading was performed; otherwise, 
the zero flag is cleared. Both instructions are 
undefined in real address mode, causing an 
invalid opcode exception (interrupt #6). 


11.3.1 Descriptor Validation 


The iAPX 286 has two instructions, VERR 
and VERW, which determine whether a 
selector points to a segment that can be read 
or written at the current privilege level. 


Neither instruction causes a protection fault 
if the result is negative. 7 


VERR verifies a segment for reading and 
loads ZF with 1 if that segment is readable 
from the current privilege level. The valida- 
tion process checks that: 1) the selector points 
to a descriptor within the bounds of the GDT 
or LDT, 2) it denotes a segment descriptor 
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(as opposed to a control descriptor), and 3) 
the segment is readable and of appropriate 
privilege level. The privilege check for data 
segments and non-conforming code segments 
is that the DPL must be numerically greater 
than or equal to both the CPL and the selec- 
tor’s RPL. Conforming segments are not 
checked for privilege level. 


VERW provides the same capability as 
VERR for verifying writability. Like the 
VERR instruction, VERW loads ZF if the 
result of the writability check is positive. The 
instruction checks that the descriptor is within 
bounds, is a segment descriptor, is writable, 
and that its DPL is numerically greater or 
equal to both the CPL and the selector’s RPL. 
Code segments are never writable, conform- 
ing or not. 


11.3.2 Pointer Integrity: RPL and the 

- “Trojan Horse Problem’”’ 
The Requested Privilege Level (RPL) feature 
can prevent inappropriate use of pointers that 
‘could corrupt the operation of more privi- 
leged code or data from a less privileged level. 


A’common example is a file system proce- 
dure, FREAD (file_id, nybytes, buffer-ptr). 


This hypothetical procedure reads data from 


a file into a buffer, overwriting whatever is 
‘there. Normally, FREAD would be available 
at the user level, supplying only pointers to 
the file system procedures and data located 
and operating at a privileged level. Normally, 
such a procedure prevents user-level proce- 
dures from directly changing the file tables. 
However, in the absence of a standard proto- 
col for checking pointer validity, a user-level 
procedure could supply a pointer into the file 
tables in place of its buffer pointer, causing 
the FREAD procedure to corrupt them 
| unwittingly. 


By using the RPL, you can avoid such 
problems. The RPL field allows a privilege 
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attribute to be assigned to a selector. This 
privilege attribute would normally indicate the 
privilege level of the code which generated the 
selector. The iAPX 286 hardware will 
automatically check the RPL of any selector 
loaded into a segment register or a control 
register to see if the RPL allows access. 


To guard against invalid pointers, the called 
procedure need only ensure that all selectors 
passed to it have an RPL at least as high 
(numerically) as the original caller’s CPL. 
This indicates that the selectors were not more 
trusted than their supplier. If one of the 
selectors is used to access a segment that the 
caller would not be able to access directly, i.e., 
the RPL is numerically greater than the DPL, 
then a protection fault will result when loaded 
into a segment or control register. 


The caller’s CPL is available in the CS selec- 
tor that was pushed on the stack as the return 
address. A special instruction, ARPL, can be 
used to appropriately adjust the RPL field of 
the pointer. ARPL (Adjust RPL field of 
selector instruction) adjusts the RPL field of 
a selector to become the larger of its original 
value and the value of the RPL field in a 
specified register. The latter is normally 
loaded from the caller’s CS register which can 
be found on the stack. If the adjustment 
changes the selector’s RPL, ZF is set; other- 
wise, the zero flag is cleared. 


11.4 NPX CONTEXT SWITCHING 


The context of a processor extension (such as 
the 80287 numerics processor) is not changed 
by the task switch operation. A processor 
extension context need only be changed when 
a different task attempts to use the processor 
extension (which still contains the context of 
a previous task). The 80286 detects the first 
use of a processor extension after a task switch 
by causing the processor extension not-present 
exception (#7) if the TS bit is set. The inter- 
rupt handler may then decide whether a 
context change is necessary. : 
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The 286 services numeric errors only when it 
executes wait or escape instructions because 
the processor extension is running independ- 
ently. Therefore, the numerics error from one 
task may not be recorded until the 286 is 
running a different task. If the 286 task has 
changed, it makes sense to defer handling that 
error until the original task is restored. For 
example, interrupt handlers that use the NPX 
should not have their timing upset by a 
numeric error interrupt that pertains to some 
earlier process. It is of little value to service 
someone else’s error. | 


If the task switch bit is set (bit 3 of MSW) 
when the CPU begins to execute a wait or 
escape instruction, the processor-extension 
not-present exception results (#7). The 
handler for this interrupt must know who 
currently “owns” the NPX, 1e., the handler 
must know the last task to issue a command 
to the NPX. If the owner is the same as the 
current task, then it was merely interrupted 
and the interrupt handler has since returned; 
the handler for interrupt 7 simply clears the 
TS bit, restores the working registers, and 
returns (restoring interrupts if enabled). 


If the recorded owner is different from the 
current task, the handler must first save the 
existing NPX context in the save area of the 
old task. It can then re-establish the correct 
NPX context from the current task’s save 
area. 


The code example in figure 11-3 relies on the 
convention that each TSS entry in the GDT 
is followed by an alias entry for a data 
“segment that points to the same physical 
region of memory that contains the TSS. The 
alias segment also contains an area for saving 
the NPX context, the kernel stack, and certain 
kernel data. That is, the first 44 bytes in that 
segment are the 286 context, followed by 94 
bytes for the processor extension context, 


followed in some cases by the kernel stack and 
kernel private data areas. 


The implied convention is that the stack 
segment selector points to this data segment 
alias so that whenever there is an interrupt at 
level zero and SS is automatically loaded, all 
of the above information is immediately 
addressable. 


It is assumed that the program example knows 
about only one data segment that points to a 
global data area in which it can find the one | 
word NPX owner to begin the processing 
described. The specific operations needed, and 
shown in the figure, are listed in table 11-1. 


11.5 MULTIPROCESSOR 
CONSIDERATIONS 


As mentioned in Chapter 8, a bus lock is 
applied during the testing and setting of the 


task busy bit to ensure that two processors do 


not invoke the same task at the same time. 
However, protection traps and conflicting use 
of dynamically varying segments or descrip- 
tors must be addressed by an inter-processor 
synchronization protocol. The protocol can use 
the indivisible semaphore operation of the 
base instruction set. Coordination of inter- 


rupt and trap vectoring must also be 


addressed when multiple concurrent proces- 
sors are operating. 


The interrupt bus cycles are locked so no 
interleaving occurs on those cycles. Descrip- 
tor caching is locked so that a descriptor 
reference cannot be altered while it is being 
fetched. 


When a program changes a descriptor that is 
shared with other processors, it should broad- 
cast this fact to the other processors. This 


broadcasting can be done with an inter- 


ADVANCED TOPICS 


processor interrupt. The handler for this © 


interrupt must ensure that the segment regis- 
ters, the LDTR and the TR, are re-loaded. 


This happens automatically if the interrupt is" 


serviced by a task switch. 


Modification of. descriptors of shared 
segments in multi-processor systems may 
require that the on-chip descriptors also be 
updated. For example, one processor may 
attempt to mark the descriptor of a shared 


segment as not-present while another is using 
it. Software has to ensure that the descriptors 
in the segment register caches are updated 
with the new information. The segment regis- 
ter caches can be updated by a re-entrant 
procedure that is invoked by an_inter- 
processor interrupt. The handler must ensure 
that the segment registers, the LDTR and the 
TR, are re-loaded. This happens automati- 
cally if the interrupt is serviced by a task 
switch. 


ASSEMBLER INVOKED BY: ASM286,86 :FS:SWNPX.A86 
* LOC OBJ “LINE SOURCE 
1 #1 $title€*Switch the NPX Context on First Use After a. Task Switch’) 
2 : | : - 
3 name  $$switchinpxicontext. 
4 ie . 
5 public: switch _NPX context” 
6. extern laste ee as word 
7 ; 
8 ; This interrupt handler will switch the NPX context if a new task 
3 ; ts attempting to use the NPX context of another task:after a task 
10 ‘ switch. Tf the NPX bon uene beens to the eeninedt Peaks. nothing happens. 
11 : 
12 i . A trap gate should be placed in IDT eared 7 referring to this routine. 
13. ; The DPL of the gate should be 0 to prevent spoofing. The code segment 
14 : must be at privilege level 0. 
15 ; 
16 ; The kernel stack is assumed to overlay the TSS” er the NPX save area 
17 ; “> is placed at the end of the TSS area. 
18 ; ; , . 
19 ; A global word variable LASTLNPX_TASK. identifies -the TSS selector of 
20 ’ the last task to use the NPX., ; 
a 21 ' of. a ae 
doec 22 npx_save_area equ word ptr 44 ; Offset of NPX save area in TSS 
- 23 +1 $eject- a7 
24 kernelicode segment er public 
0000 adi , 26 switch npx_context proc far we(0) 
0000 50 28 - push ax ; Save working registers 
0001 1€ 4 29 push °° ds. 
,, OVGS: BES Ss E 30 mov ax, rT lastinpx_task . ; Get address of id of last  NPX task 
~ .0005 8ED8 31 mov: ds;ax 
0007 OFO0CS 32 str ax >; Get id of this task 
“Q00A 24FC . . 33 and al,not 3 ; Remove RPL field 
0000 OF NG 34 clts ;.Clear task switched flag 
OO0E FA 35 eli ; No interrupts allowed! 
36 ; ane. 
37 ; Last npx_word cannot change due to other interrupts after this point. 
38 ; 
O00F 38060000 E 39 cmp ax,ds:lastinpx_task * See if same task 
0013 7412 40 je same_task 
414 
0015 87060000 E a2 xchg ax,ds:last_npx_task ; Set new task id and get old one 
0019 050800 43 add ax,8 s Go to TSS alias 
001C 8ED8 ; ; 44 mov d5 ax ; Address TSS of previous NPX task 
O01E DD362C00 45 fsave ds: npx_save— area + Save old NPX state 
0022 36DD262C00 46 ‘frstor ssinpx_save_area ; Get current NPX state 
0027 47 same_task: : ; 
0027 IF . 48D pop: ds ; Return to interrupted program 
0028 58 49 pop ax ei ' 
0029 CF 50 iret 
$4 
52 switch_npx_context endp 
53 
54 kernel_code ends 


*#? WARNING #160, LINE #54, 


55 


SEGMENT CONTAINS: PRIVILEGED INSTRUCTIONS 


end 


Figure 11-3. Example of NPX Context Switching 
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Table 11-1. NPX Context Switching 


Operation nee 
P (Figure 11-3) 


lf same owner: 


7a. 
7b. 


If owner is not 
current task: 
8a. 
8b. 


11.6 SHUTDOWN 


Save the working registers 

Set up address for kernel work area 

Get current task ID from Task Register 
Clear Task Switch flag to allow NPX work 
Inhibit interrupts 

Compare owner with current task ID 


Restore working registers 
and return 


Use owner ID to save old context in its TSS 42, 43, 44 
Restore context of current task; 45 
restore working registers; 46 
and return 52 


stops executing instructions. The 80286 
externally signals shutdown as a Halt bus 


Shutdown occurs when a severe error condi- cycle with Al =0. The NMI or RESET input 
tion prevents further processing. Shutdown is will force the 80286 out of shutdown. The 
very similar to HLT in that the iAPX 286 INTR input is ignored during shutdown. 
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iAPX 286 SYSTEM INITIALIZATION 


$title€C@*‘Switch the 80286 from Real Address Mode to Protected Mode’) 


name switch 80286 _modes 
public idt_desc,gdt_desc 


Switch the 80286 from real address mode into protected mode. 
The initial EPROM GDT, IDT, TSS, and LDT (Cif any) constructed by BLD286 
will be copied from EPROM into RAM. The RAM areas are defined by data 
segments allocated as fixed entries in the GDT. The CPU registers for 
the GDT, IDT, TSS, and LDT will be set to point at the RAM-based 
segments. The base fields in the RAM-based GDT will also be updated to 
point at the RAM-based segments. 


This code is used by adding it to the list of object modules given 
to BLD286. BLD286 must then be told to place the segment 
{nit_code at address FFFE10H. Execution of the mode switch code begins 
after RESET. This happens because the mode switch code will start at 
physical address FFFFFOH, which is the power up address. This code then 
sets up RAM copies of the EPROM-based segments before jumping to the 
initial task placed at a fixed GDT entry. After the jump, the CPU 
executes in the state of the first task defined by BLD286. 


This code will not use any of the EPROM-based tables directly. 
Such use would result in the 80286 writing into EPROM to set 
the A bit. Any use of a GDT or TSS will always be in the RAM copy. 
The limit and size of the EPROM-based GDT and IDT must be stored at 


the public symbols idt_desec and gdt_desc. The location commands of BLD286 


provide this function. 


Interrupts are disabled during this mode switching code. Full error 
checking is made of the EPROM-based GDT, IDT, TSS, and LDT to assure 
they are valid before copying them to RAM. If any of the RAM-based 
alias segments are smaller than the EPROM segments they are to hold, 
halt or shutdown will occur. In general, any exception or NMI will 
cause shutdown to occur until the first task is invoked. 


If the RAM segment is larger than the EPROM segment, the RAM segment 
will be expanded with zeros. JIf the initial TSS specifies an LDT, 
the LDT will also be copied into ldtialias with zero fill if needed. 


The EPROM-based or RAM-based GDT, IDT, TSS, and LDT segments may be located 


anywhere in physical memory. 
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: Define layout of a descriptor. 


desc struc 

limit dw 0 ; Offset of last byte in Segment 
base_low dw 0 ; Low 16 bits of 24-bit address 
base_high db 0 ; High 8 bits of 24-bit address 
access db 0 ; Access rights byte 

res dw 0 * Reserved word 

desc ends | 


e 
’ 


: Define the fixed GDT selector values for the descriptors that 


; define the EPROM-based tables. BLD286 must be instructed to place the 


appropriate descriptors into the GDT. 


. 
? 


GDT 


gdt_alias equ  4#s5size desc : GDT(1) is data segment in RAM for 
idt_alias equ 2*size desc ; GDTC2) is data segment in RAM for IDT 
start_TSS_alias equ 3*size desc ; GDTC3) is data segment in RAM for TSS 
start_task equ 4*size desc ; GDTC4) is TSS for starting task 
start_LDT_alias equ. S*size desc ; GDTCS) is data segment in RAM for LDT 
' Define machine status word bit positions. 
PE equ) ot _ ; Protection enable 
MP equ — Yd . ; Monitor processor extension 
EM equ . 4 ; Emulate processor extension 
; Define particular values of descriptor access rights byte. 
DT_ACCESS equ 82H ; Access byte value for an LDT 
DS_ACCESS equ 92H ; y Access byte value for data segment 
of : which is grow up, at level 0, writeable 
TSS_ACCESS equ 81H ; Access byte value for an idle TSS 
DPL equ 60H . | ; Privilege level field of access rights 
ACCESSED equ 1 | ; Define accessed bit - 
TI equ 4 | 4 Position of TI bit 
FSs2S 025 equ 44 ; Size of a TSS 
LDT_OFFSET equ 42 : Position of LDT in TSS 
TIRPL_MASK equ size desc-1 _ ; TI and RPL field mask 
, 
; Pass control from the power-up address to the mode switch code. 
; The segment containing this code must be at physical address FFFE10H 
; to place the JMP instruction at physical address FFFFFOH. The base 
; address is chosen according to the size of this segment. 
init _code segment er 
cs_offset equ OFE 10H * Low 16 bits of starting address 
org OFFFOH-cs_offset; Start at address FFFFFOH 
}™p reset_startup ; Do not change CS! 
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initial 


gdt_desc 
idt_desc 
temp_des 


Define 
GDT and 
This spa 
as the T 


gdt 


c 


Define 
This des 
protecte 


temp_stack 
. Define 
: first ta 
; the init 
} 
save_tss 
; Define 
} 
end_gdt 
start_pointer 
i 
: Define 
? 
task_entry 
TSS_sel 
TSS_alias 
LDT_alias 
task_entry 
task_list 
reset_startup: 

eli 

e.ld 

xor 

mov 

mov 

mov 

mov 


the template for a temporary GDT used to locate the initial 
stack. This data will be copied to location 0. 
ce 1s also used for a temporary stack and finally serves 


SS written into when entering the initial TSS. 

org 0 ; Place remaining code below power_up 
desc <> * Filler and null IDT descriptor 

desc «> ; Descriptor for EPROM GDT 

desc «> ; Descriptor for EPROM IDT 

desc «> ; Temporary descriptor 

a descriptor that will point the GDT at location 0. 


criptor will also be loaded into SS to define the initial 
d mode stack segment. 


desc ¢end_gdt-initial_gdt-1,0,0,DS_ACCESS,0» 


the TSS descriptor used to allow the task switch to the 
sk to overwrite this region of memory. The TSS will overlay 
ial GDT and stack at location 0. 
desc ¢end_gdt-initial_gdt-1,0,0,TSS_ACCESS, 0» 

the initial stack space and filler for the end of the TSS. 
dw 8 dup (0) 

label word 


label dword 


dw 0,start_task * Pointer to initial task 

template for the task definition list. 
struc ; Define layout of task description 
dw ? ; Selector for TSS 
dw ¢ ; Data segment alias for TSS 
dw : ; Data segment alias for LDT if any 
ends 
task_entry «start_task,start_TSS_alias,start_LDT_alias» 
dw 0 ; ; Terminate list 


; No interrupts allowed! 
; Use autoincrement mode 


di,di ; Point ES:DI at physical address 000000H 
ds,di 

es,di 

s55,di ; Set stack at end of reserved area 


sp,end_gdt-initial_gdt 
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; Form an adjustment factor from the real CS base of FFO0000H to the 
; segment base address assumed by ASM286. Any data reference made 

: into CS must add an indexing term [BP] to compensate for the difference 
between the offset generated by ASM286 and the offset required from 

: the base of FFOOQOOOH. 


start proc ; The value of IP at run time will not be 
7 ; the same as the one used by ASM286! 
call start! — ; Get true offset of start! | 
starti: a 
PoP bp 
sub bp,offset start! ; Subtract ASM286 offset of startt 
nF ; leaving adjustment factor in BP 
lidt initial_gdtlbp] ; Setup null IDT to force shutdown 


; on any protection error or interrupt 


: Co the EPROM-based temporar GDT into RAM. 
Py P y 


lea si,initial_gdtlbp] ; Setup pointer to temporary GDT 
. : template in EPROM: 
mov cx,Cend_gdt-initial_gdt)/2 ; Set length 
rep movs es:word ptr (Cdil,cs:€sil; Put into reserved RAM area 


Look for 80287 processor extension. Assume all ones will be read 


; if an 80287 is not present. 

} 
fninit ; Initialize 80287 if present 
mov bx,EM ; Assume no 80287 
fstsw ax * Look at status of 80287 
or al,al ; No errors should be present 
jnz set_mode ; Jump if no 80287 
fsetpm . ; Put 80287 into protected mode 
mov bx,MP 


; Switch to protected mode and setup a stack, GDT, and LDT. 


set_mode: 
sms5w ax ; Get current MSW 
or ax,PeE * Set PE bit 
or: ax,bx ; ; Set NPX status flags 
Imsw ax . ; Enter protected mode! 
jmp $+2 ; Clear queue of instructions decoded 


; while in Real Address Mode 
; CPL is now 0, CS still points at 
; FFFE10 in physical memory 
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copy_tas 


bad_gdt: 
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lgdt temp_stack{bp] ; Use initial GDT in RAM area 
mov ax,temp_stack-initial_gdt ; Setup SS with valid protected mode 
mov 55,ax : selector to the RAM GDT and stack 
xor ax,ax ; Set the current LDT to null 
lidt ax ; Any references to it will cause 
‘ an exception causing shutdown 
mov ax,sSave_tss-initial_gdt ; Set initial TSS into the low RAM 
ltr ax ; The task switch needs a valid TSS§ 
Copy the EPROM-based GDT into the RAM data segment alias. 
First the descriptor for the RAM data segment must be copied into 
the temporary GDT. 
mov ax,gdt_desclbp].limit ; Gel sive. et. -6.bDT 
cmp ax,6*size desc-i1 ; Be sure the last entry expected by 
: this code is inside the GDT 
jb bad_gdt ; Jump if GDT is not big enough 
mov bx,gdt_desc-initial_gdt ; Form selector to EPROM GDT 
mov si,gdt_alias ; Get selector of GDT alias 
call copy_EPROM_dt ; Copy into EPROM 
mov si,idt_alias ' Get selector of IDT alias 
mov bx,idt_desc-initial_gdt ; Indicate EPROM IDT 
call copy_EPROM_dt 
mov ax,gdt_desc-initial_gdt ; Setup addressing into EPROM GDT 
mov ds,ax 
mov bx,gdt_alias ; Get GDT alias data segment selector 
Igdt [bx] ; Set GDT to RAM GDT 
; S$S and TR remain in low RAM 
Copy all task’s TSS and LDT segments into RAM 
lea bx,task_list{bp] ; Define list of tasks to setup 
k_loop . 
call copy_tasks ; Copy them into RAM 
add bx,size task_entry ; Go to next entry 
mov ax,cs:(€bx)].tss_sel ; See if there ts another entry 
or ax,ax 
jnz copy_task_loop 
With TSS, GDT, and LDT set, startup the initial task! 
mov bx,gdt_alias ; Point DS at GDT 
mov ds,bx 
mov bx,idt_alias ; Get IDT alias data segment selector 
lidt [bx] ; Set IDT for errors and interrupts 
jmp start_pointer{bp] ; Start the first task! 
: The low RAM area is overwritten with 
‘ the current CPU context 
hit ; Halt here if GDT is not big enough 
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endp 
Copy the TSS and LDT for the task pointed at by CS:BX. 


If the task has an LDT it will also be copied down. 
BX and BP are transparent. 


hit | > Halt here if TSS is invalid 


k 5 proc 

mov si,gdt_alias ; Get addressability to GDT 

mov ds,si 

mov si,cs:€bx].tss_alias ; Get selector for TSS alias 

mov es,s5i ; Point ES at alias data segment 
ls] ax,si ; Get length of TSS alias 

mov si,cs:(€bx].tss_sel ; Get TSS selector 

lar dx,si ; Get alias access rights 

jnz bad_tss " 4 Jump if invalid reference 

mov dl,dh . ; Save TSS descriptor access byte 
and dh,not DPL . ; Ignore privilege 

cmp dh, TSS_ACCESS ; See if TSS 

jnz bad_tss ; Jump if not 

lsl cx,s5i ; Get length of EPROM based TSS 
cmp cx, TSS_SIZE- 1 ; Verify it is of proper size 

jb bad_tss5 ; Jump if it is not big enough 


Setup for moving the EPROM-based TSS to RAM 
DS points at GDT 


mov [si]l.aceess,DS_ACCESS ; Make TSS into data segment 
Mov ds,s5i | ; Point DS at EPROM TSS 
call copy_with_fill ; Copy DS segment to ES with zero fill 


; CX has copy count, AX-CX fill count 


Set The CDT TSS. inde tnd HOSE Wedhese: te: the RAM wees, 


mov ax,gdt_alias ; Restore GDT addressing 

mov ds,ax 

mov es,ax 

mov di,cs:(€bx].tss_sel ; Get TSS selector 

mov si,cs:fbx].tss_alias ; Get RAM alias selector 
movsw ; Copy limit 

movsw ; Copy low 16 bits of address 
lodsw | ; Get high 8 bits of address 
mov ah,dl ; Mark as TSS descriptor 
stosw ; Fill in high address and access bytes 
movsw ; Copy reserved word 
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; See if a valid LDT is specified for the startup task 
; If so then copy the EPROM version into the RAM alias. 
mov ds,cs:Cbx].tss_alias ; Address TSS to get LDT 
mov si,ds:word ptr LDT_OFFSET 
and si,not TIRPL_MASK ; Ignore TI and RPL 
jz no_ldt ; Skip this if no LDT used 
push si ; Save LDT selector 
lar dx,si ; Test descriptor 
jnz bad_ldt ; Jump if invalid selector 
mov dl,dh ; Save LDT descriptor access byte 
and dh,not DPL ; Tgnore privilege 
cmp dh, DT_ACCESS ; Be sure it is an LDT descriptor 
jne bad_ldt ; Jump if invalid 
mov es:{fsil.access,DS_ACCESS; Mark LDT as data segment 
mov ds,si ; Point DS at EPROM LDT 
ls] ax,5i ; Get LDT limit 
call test_dt_limit ; Verify it is valid 
mov cx,ax ; Save for later 
i Examine the LDT alias segment and, if good, copy to RAM 
mov si,cs:(€bx].ldt_alias ; Get Ildt alias selector 
mov es,si ; Point ES at alias segment 
lsl ax,si ; Get length of alias segment 
call test_dt_limit ; Verify it is valid 
call copy_with_fill ; Copy LDT into RAM alias segment 
; Set the LDT limit and base address to the RAM copy of the LDT. 
mov si,cs:(Cbx]).ldt_alias ; Restore LDT alias selector 
pop di ; Restore LDT selector 
mov ax,gdt_alias ; Restore GDT addressing 
mov ds,ax 
mov eS,ax 
movsw ; Move the RAM LDT limit 
movsw ; Move the low 16 bits across 
lodsw ; Get the high 8 bits 
mov ah,dl ; Mark as LDT descriptor 
stosw ; Set high address and access rights 
MOoVSW ; Copy reserved word 
no_ldt 
ret ; All done 
bad_ldt: 
hilt ; Halt here if LDT is invalid 
copy_tasks endp 


iAPX 286 SYSTEM INITIALIZATION 


Tes 
even 


est_dt_limit 


push 
and 
cmp 
Pop 
jne 


ret 
bad_dt_limit: 
hlt 


test_dt_limit 


data 
will 


opy_EPROM_dt 


mov 
mov 
mov 
mov 
Isl 
mov 
call 
mov 
mov 

mov 
push 
lodsw 
call 


stosw 
movsw 
mMmovsw 
movsw 
Pop 


mov 


copy_EPROM_dt 


t the descriptor table size 


in AX to verify that it is an 


number of descriptors in length. 


proc 


ax 
Ody 7 

al,7 

ax 

bad _dt_limit 


endp 


Save length 
Look at low order bits 
Must be all ones 


* Restore length 


All OK 


Die! 


Copy the EPROM DT at selector BX in the temporary GDT to the alias 


segment at selector SI. Any improper descriptors or limits 


cause shutdown! 


proc 
ax,s55 
es,ax 


es:(bx].access,DS_ACCESS; 


es:(bxl].res,0 
ax,bx 
cx,ax 
test_dt_limit 


di,gdt_desc-initial_gdt : 


ds,di 


di 


test_dt_limit 


es 
ds,bx 
endp 


di,temp_desc-initial_gdt; 


Point ES:DI at temporary descriptor 


Mark descriptor as a data segment 
Clear reserved word 

Get limit of EPROM DT 

Save for later | 

Verify it is a proper limit 
Address EPROM GDT in DS 


Get selector for temporary descriptor 
Save offset for later use as selector 

Get alias segment size 

Verify it is an even multiple of 
descriptors in length 

Put length into temporary 

Copy remaining entries into temporary 


; ES now points at the GDT alias area 


DS now points at EPROM DT as data 
Copy segment to alias with zero fill 
CX is copy count, AX-CX is fill count 
Fall into copy_with_fill 


Copy t 
: Fill the 
. allow od 


copy _with_fill 


xor 
xor 
sub 
add 
rer 
movsw 
xchg 
jne 


rep 


movsb 
or 


j 2 


stosb 

dec 
even_copy: 
shr 
stosw 
jne 


rep 


stosb 
exit_copy: 
ret 


copy_with_fill 


init code 
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he segment at DS to the 
end with AX-CX zeros. 

d byte operations. 

proc 

si,si 

di,di 

ax,cx 

cx, | 

cx, 1 

ax,cx 


even_copy 


xs .¢% 
exit_copy 
cx 

cx, 1 


exit_copy 


endp 


ends 
end 


segment at ES for length CX. 

Use word operations for speed but 
; Start at beginning of segments 
* Form fill count 
; Convert limit to count 
* Allow full 64K move 
; Copy DT into alias area 
; Get fill count and zero AX 
; Jump if even byte count on copy 
; Copy odd byte 
; Exit if no fill 
; Even out the segment offset 
; Adjust remaining fill count 
:; Form word count on fill 
*; Clear unused words at end 
; Exit if no odd byte remains 
; Clear last odd byte 
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APPENDIX B 
THE iAPX 286 INSTRUCTION SET 


This section presents the 1APX 286 instruc- 
tion set using Intel’s ASM286 notation. All 
possible operand types are shown. Instruc- 
tions are organized alphabetically according 
to generic operations. Within each operation, 
many different instructions are possible 
depending on the operand. The pages are 
presented in a standardized format, the 
elements of which are described in the 
following paragraphs. 


Opcode 


This column gives the complete object code 
produced for each form of the instruction. 
Where possible, the codes are given as 
hexadecimal bytes, presented in the order in 
which they will appear in memory. Several 
shorthand conventions are used for the parts 
of instructions which specify operands. These 
conventions are as follows: 


/n: (nis a digit from 0 through 7) A ModRM 
byte, plus a possible immediate and displace- 
ment field follow the opcode. See figure B-1 
for the encoding of the fields. The digit rn is 
the value of the REG field of the ModRM 
byte. To obtain the possible hexadecimal 
values for /n, refer to column n of table B-1. 
Each row gives a possible value for the effec- 
tive address operand to the instruction. The 
entry at the end of the row indicates whether 
the effective address operand is a register or 
memory; if memory, the entry indicates what 
kind of indexing and/or displacement is used. 
Entries with D8 or D16 signify that a one- 
byte or two-byte displacement quantity 
immediately follows the ModRM and optional 
immediate field bytes. The signed displace- 
ment is added to the effective address offset. 


/r: A ModRM byte that contains both a 
register operand and an effective address 


operand, followed by a possible immediate 
and displacement field. See figure B-2 for the 
encoding of the fields. The ModRM byte 
could be any value appearing in table B-1. 
The column determines which register 
operand was selected; the row determines the 
form of effective address. If the row entry 
mentions D8 or D16, then a one-byte or two- 
byte displacement follows, as described in the 
previous paragraph. 


cb: A one-byte signed displacement in the 
range of —128 to +127 follows the opcode. 
The displacement is sign-extended to 16 bits, 
and added modulo 65536 to the offset of the 
instruction FOLLOWING this instruction to 
obtain the new IP value. 


cw: A two-byte displacement is added modulo 
65536 to the offset of the instruction 
FOLLOWING this instruction to obtain the © 
new IP value. | | 


cd: A two-word pointer which will be the new 
CS:IP value. The offset is given first, followed 
by the selector. 


db: An immediate byte operand to the 
instruction which follows the opcode and 
ModRM bytes. The opcode determines if it is 
a signed value. 


dw: An immediate word operand to the 
instruction which follows the opcode and 
ModRM bytes. All words are given in the 
iAPX 286 with the low-order byte first. 


+rb: A register code from 0 through 7 which 
is added to the hexadecimal byte given at the 
left of the plus sign to form a single opcode 
byte. The codes are: AL=0, CL=1, DL=2, 
BL=3, AH=4, CH=5, DH=6, and BH=7. 
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/n Instruction Byte Format _ 
07 | | : 


ModRM 2 
‘‘mod”’ Field Bit Assignments 


DISP. = 0), disp-low and disp-high are absent 

DISP = disp-low sign-extended to 16-bits, disp-high is absent 
DISP = disp-high: disp-low 

r/m is treated as a “‘reg”’ field 


‘‘7/m” Field Bit Assignments 


(BX) + (SI) + DISP 


(BX) + (Dl) + DISP 
(BP) + (SI) + DISP 


(BP) + (Dl) + DISP 
(SI) + DISP 

(DI) + DISP. 

(BP) + DISP2) 
(BX) + DISP 


DISP follows 2nd byte of instruction (before data if required). . 


NOTES: 
1. Opcode indicates presence and size of immediate value. 
2. Except if mod=00 and r/m=110 then EA=disp-high: disp-low. 


Figure B-1. /n Instruction Byte Format 
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Table B-1. ModRM Values 


CL DL. BL AH CH DH 
CX DX BX SP BP a) 
1 2 3 4 5 6 


ModRM values Effective address 


[BX + SI] 

[BX + Dl] 

[BP + Sl] 

[BP + Dl] 

[S!] 

[Dl] 

D16 (simple var) 
[BX] 


[BX + SI] + D8 
[BX + Dl] + D8 
[BP + Sl] + D8 
[BP + Di] + D8 
[Sl] + D8 

[Dl] + D8 

[BP] + Dsl) 

[BX] + D8 


[BX + SI] + D168) | 
[BX + Dl] + D16 
[BP +SI] + D16 
[BP + Dl] + D16 
[Sl] + D16 

[Dl] + D16 

[BP] + D16°) 

[BX] + D16 


Ew=AX Eb=AL 
Ew=CX Eb=CL 
Ew=DX Eb=DL 
Ew=BX Eb=BL 
Ew=SP Eb=AH 
Ew=BP Eb=CH 
Ew=SI Eb=DH 
Ew=DI Eb=BH 


NOTES: 
1. D8 denotes an 8-bit displacement following the ModRM byte that is sign-extended and added to the index. 


2. Default segment register is SS for effective addresses containing a BP index; DS is for other memory 
effective addresses. 


3. D16 denotes the 16-bit displacement following the ModRM byte that is added to the index. 


B-3 


THE iAPX 286 INSTRUCTION SET 


/¥ Instruction Byte Format 


ee = 


“mod” Field Bit Assignments 


DISP = 0®), disp-low and disp- high are absent 

DISP = disp-low sign-extended to 16-bits, disp-high is absent 
DISP = disp-high; disp-low 

r/m is treated as a ‘‘reg’’ field 


“r” Field Bit Assignments 


es ce 


“e/m” Field Bit Assignments 


--—— Operand Address | 


(BX) + (SI) + DISP 
(BX) + (Dl) + DISP 
(BP) + (SI) + DISP 


(BP) + (DI) + DISP 
(Si) + DISP 

(Dl) + DISP 

(BP) + DISP@) 
(BX) + DISP 


DISP follows 2nd byte of instruction (before data if required). 


NOTES: 
1. Opcode indicates presence and size of immediate field. 
2. Except if mod=00 and r/m=110 then EA=disp-high: disp-low. 


Figure B-2. /r Instruction Byte Format 
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+rw: A register code from 0 through 7 which 
is added to the hexadecimal byte given at the 
left of the plus sign to form a single opcode 
byte. The codes are: AX=0, CX=1, DX =2, 
BX=3, SP=4, BP=5, SI=6, and DI=7. 


Instruction 


This column gives the instruction mnemonic 
and possible operands. The type of operand 
used will determine the opcode and operand 
encodings. The following entries list the type 
of operand which can be encoded in the 
format shown in the instruction column. The 
Intel convention is to place the destination 
operand as the left hand operand. Source-only 
operands follow the destination operand. 


In many cases, the same instruction can be 
encoded several ways. It is recommended that 
you use the shortest encoding. The short 
encodings are provided to save memory space. 


cb: a destination instruction offset in the 
range of 128 bytes before the end of this 
instruction to 127 bytes after the end of this 
instruction. . | 


cw: a destination offset within the same code 
segment as this instruction. Some instruc- 
tions allow a short form of destination offset. 
See cb type for more information. 


cd: a destination address, typically in a 
different code segment from this instruction. 
Using the cd: address form with call instruc- 
tions saves the code segment selector. 


db: a signed value between — 128 and +127 
inclusive which is an operand of the instruc- 
tion. For instructions in which the db is to be 
combined in some way with a word operand, 
the immediate value is sign-extended to form 
a word. The upper byte of the word is filled 
with the topmost bit of the immediate value. 


dw: an immediate word value which is an 
operand of the instruction. 


eb: a byte-sized operand. This is either a byte 
register or a (possibly indexed) byte memory 
variable. Either operand location may be 
encoded in the ModRM field. Any memory 
addressing mode may be used. 


ed: a memory-based pointer operand. Any 
memory addressing mode may be used. Use 
of a register addressing mode will cause 
exception 6. 


ew: a word-sized operand. This is either a 
word register or a (possibly indexed) word 
memory variable. Either operand location 
may be encoded in the ModRM field. Any 
memory addressing mode may be used. 


m: a memory location. Operands in registers 
do not have a memory address. Any memory 
addressing mode may be used. Use of a regis- 
ter addressing mode will cause exception 6. 


mb: a memory-based byte-sized operand. Any 
memory addressing mode may be used. 


mw: a memory-based word operand. Any 
memory addressing mode may be used. 


rb: one of the byte registers AL, CL, DL, BL, 
AH, CH, DH, or BH; rb has the value 
0,1,2,3,4,5,6, and 7, respectively. 


rw: one of the word registers AX, CX, DX, 
BX, SP, BP, SI, or DI; rw has the value 
0,1,2,3,4,5,6, and .7, respectively. 


xb: a simple byte memory variable without a 
base or index register. MOV instructions 
between AL and memory have this optimized 
form if no indexing is required. 


xw: a simple word memory variable without 
a base or index register. MOV instructions 
between AX and memory have this optimized 
form if no indexing is required. 
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Clocks 


This column gives the number of clock cycles 
that this form of the instruction takes to 
execute. The amount of time for each clock 
cycle is computed by dividing one micro- 
second by the number of MHz at which the 
80286 is running. For example, a 10-MHz 
80286 (with the CLK pin connected to a 
20-MHz crystal) takes 100 nanoseconds for 
each clock cycle. 


Add one clock to instructions that use the base 
plus index plus displacement form of address- 
ing. Add two clocks for each 16-bit memory 


based operand reference located on an odd 


physical address. Add one clock for each wait 
state added to each memory read. Wait states 
inserted in memory writes or instruction 
fetches do not necessarily increase execution 
time. 


The clock counts establish the maximum 
execution rate of the 80286. With no delays 
in bus cycles, the actual clock count of an 
80286 program will average 5-10% more than 
the calculated clock count due to instruction 
sequences that execute faster than they can 
be fetched from memory. 


Some instruction forms give two clock counts, 
one unlabelled and one labelled. These counts 
indicate that the instruction has two different 
clock times for two different circumstances. 
Following are the circumstances for each 
possible label: 


mem: The instruction has an operand that can 
either be a register or a memory variable. The 
unlabelled time is for the register; the mem 
time is for the memory variable. Also, one 
additional clock cycle is taken for indexed 
memory variables for which all three possible 
indices (base register, index register, and 
displacement) must be added. | 


noj: The instruction involves a conditional 
jump or interrupt. The unlabelled time holds 
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when the jump is made; the noj time holds 
when the jump is not made. 


pm: If the instruction takes more time to 
execute when the 80286 is in Protected Mode. 
The unlabelled time is for Real Address 
Mode; the pm time is for Protected Mode. 


Description 


This is a concise description of the operation 
performed for this form of the instruction. 
More details are given in the “Operation” 
section that appears later in this chapter. 


Flags Modified 


This is a list of the flags that are set to a 
meaningful value by the instruction. If a flag 
is always set to the same value by the instruc- 
tion, the value is given (““=0” or “= 1”) after 
the flag name. | | 


Flags Undefined 


This is a list of the flags that have an 
undefined (meaningless) setting after the 
instruction is executed. 


All flags not mentioned under ‘Flags 
Modified’ or ‘“‘Flags Undefined” are 
unchanged by the instruction. | 


Operation 
This section fully describes the operation 
performed by the instruction. For some of the 


more complicated instructions, suggested 
usage is also indicated. | | 


Protected Mode Exceptions 


The possible exceptions involved with this 
instruction when running under the iAPX 286 
Protected Mode are listed below. These 
exceptions are abbreviated with a pound sign 
(#) followed by two capital letters and an 
optional error code in parenthesis. For 
example, #GP(0) denotes the general protec- 
tion exception with an error code of zero. The 
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next section describes all of the 1APX 286 
exceptions and the machine state upon entry 
to the exception. 


If you are an applications programmer, 
consult the documentation provided with your 
operating system to determine what actions 
are taken by the system when exceptions 
occur. 


Real Address Mode Exceptions 


Since less error checking is performed by the 
iAPX 286 when it is in Real Address Mode, 
there are fewer exceptions in this mode. One 
exception that is possible in many instruc- 
tions is #GP(0). Exception 13 is generated 
whenever a word operand is accessed from 
effective address OFFFFH in a segment. This 
happens because the second byte of the word 
is considered located at location 10000H, not 
at location 0, and thus exceeds the segment’s 
addressability limit. 


Protection Exceptions 


In parallel with the execution of instructions, 
the protected-mode iAPX 286 checks all 
memory references for validity of addressing 
and type of access. Violation of the memory 
protection rules built into the processor will 
cause a transfer of program control to one of 
the interrupt procedures described in this 
section. The interrupts have dedicated 
positions within the Interrupt Descriptor 


Table, which is shown in table B-2. The inter- 
rupts are referenced within the instruction set 
pages by a pound sign (#) followed by a two- 
letter mnemonic and the optional error code 
in parenthesis. 


Error Codes 


Some exceptions cause the iAPX 286 to pass 
a 16-bit error code to the interrupt proce- 
dure. When this happens, the error code is the 
last item pushed onto the stack before control 
is tranferred to the interrupt procedure. If 
stacks were switched as a result of the inter- 
rupt (causing a privilege change or task 
switch), the error code appears on the inter- 
rupt procedure’s stack, not on the stack of the 
task that was interrupted. 


The error code generally contains the selector 
of the segment that caused the protection 
violation. The RPL field (bottom two bits) of 
the error code does not, however, contain the 
privilege level. Instead, it contains the follow- 
ing information: 


@ Bit 0 contains the value 1| if the exception 
was detected during an interrupt caused 
by an event external to the program (i.e., 
an external interrupt, a single step, a 
processor extension not-present excep- 
tion, or a processor extension segment 
overrun). Bit O is O if the exception was 
detected while processing the regular 


Table B-2. Protection Exceptions of the iAPX 286 


Undefined Opcode 
No Math Unit Available 
Double Fault 


Math Unit Protection Fault 
Invalid Task State Segment 
Not Present 

Stack Fault 

General Protection 

Math Fault 
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instruction stream, even if the instruction 
stream is part of an external interrupt 
handling procedure or task. If bit 0 is set, 
the instruction pointed to by the saved 
CS:IP address is not responsible for the 
error. The current task can be restarted 
unless this is exception 9. 


e Bit 1 is 1 if the selector points to the 
Interrupt Descriptor Table. In this case, 
bit 2 can be ignored, and bits 3-10 contain 
the index into the IDT. 


@e Bit 1 is 0 if the eiccioh points to the 
Global or Local Descriptor Tables. In this 
case, bits 2-15 have their usual selector 
interpretation: bit 2 selects the table 
(1=Local, 0=Global),:and bits 3-15 are 
the index into the table. 


In some cases the iAPX 286 chooses to pass 
an error code with no information in it. In 
these cases, all 16 bits of the error code are 
zero. | | 


The existence and type of error codes are 
described under each of the foros individ- 
ual exccpuOns: | 


HDF 8 Double Fault (Zero Error Code) 


This exception is generated when a second 
exception. is detected while the processor is 
attempting to transfer control to the handler 
for an exception. For instance, it is generated 
if the code segment containing the exception 
handler is marked not present. It is also 
generated if invoking the exception handler 
causes a stack overflow. 


This exception is not generated during the 
execution of an exeception handler. Faults 
detected within the instruction stream are 
handled by regular exceptions. 


The error code is normally zero. The saved 
CS:IP will point at the instruction that was 
attempting to execute when the double fault 
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occurred. Since the error code is normally 
zero, no information on the source of the 
exception is available. Restart is not possible. 


If another exception is detected while 
attempting to perform the double fault 
exception, the iAPX 286 will enter shutdown 
(see section 11.5). 


#GP 13 General Protection (Selector or 


‘Zero Error Code) 


This exception is generated for all protection 
violations not covered by the other exceptions 
in this section. Examples of this include: 


1. ‘An attempt to address a memory location 
_- by using an offset that exceeds the limit 
for the segment involved. | Bae 


2. An attempt to jump to a data segment. 


3. An attempt to load SS with a selector for 
a read-only segment. 


4. An attempt to write to a read-only 
segment. 


If 4GP occurred while loading a descriptor, 
the error code passed contains the selector 
involved. Otherwise, the error code is zero, _ 


If the error code is not zero, the instruction - 
can be restarted if the erroneous condition is 
rectified. If the error code is zero either a limit 
violation, a write protect violation, or an 
illegal use of invalid segment register 


occurred. An invalid segment register contains 


the values 0-3. A write protect fault on ADC, 
SBB, RCL, RCR, or XCHG is not restarta- 
ble. 


#MF 16 Math Fault (No Error Code) 


This exception is generated when the numeric 
processor extension (the 80287) detects an 


error signalled by the ERROR input pin 


leading from the 80287 to the 80286. The 
ERROR pin is tested at the beginning of most 
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floating point instructions, and when a WAIT 
instruction is executed with the EM bit of the 
Machine Status Word set to O (i.e., no 
emulation of the math unit). The floating 
point instructions that do not cause the 
ERROR pin to be tested are FNCLEX, 
FNINIT, FSETPM, FNSTCW, FNSTSW, 
FNSAVE, and FNSTENV. 


If the handler corrects the error condition 
causing the exception, the floating point 
instruction that caused #MF can be restarted. 
This is not accomplished by IRET, however, 
since the fault occurs at the floating point 
instruction that follows the offending instruc- 
tion. Before restarting the numeric instruc- 
tion, the handler must obtain from the 80287 
the address of the offending instruction and 
the address of the optional numeric operand. 


#MP 9 Math Unit Protection Fault 
(No Error Code) 


This exception is generated if the numeric 
operand is larger than one word and has the 
second or subsequent words outside the 
segment’s limit. Not all math addressing 
errors cause exception 9. If the effective 
address of an ESCAPE instruction is not in 
the segment’s limit, or if a write is attempted 
on a read-only segment, or if a one-word 
operand violates a segment limit, exception 13 
will occur. 


The #MP exception occurs during the execu- 
tion of the numeric instruction by the 80287. 
Thus, the 80286 may be in an unrelated 
instruction stream at the time. Exception 9 
may occur in a task unrelated to the task that 
executed the ESC instruction. The operating 
system should keep track of which task last 
used the NPX (see section 11.4). 


The offending floating point instruction 
cannot be restarted; the task which attempted 
_ to execute the offending numeric instruction 


must be aborted. However, if exception 9 
interrupted another task, the interrupted task 
may be restarted. 


The exception 9 handler must execute 
FNINIT before executing any ESCAPE or 
WAIT instruction. 


#NM 7 No Math Unit Available 
(No Error Code) 


This exception occurs when any floating point 
instruction is executed while the EM bit or 
the TS bit of the Machine Status Word is 1. 
It also occurs when a WAIT instruction is 
encountered and both the MP and TS bits of 
the Machine Status Word are 1. 


Depending on the setting of the MSW bits 
that caused this exception, the exception 
handler could provide emulation of the 80287, 
or it could perform a context switch of the 
math processor to prepare it for use by 
another task. 


The instruction causing #NM can be restarted 
if the handler performs a numeric context 
switch. If the handler provided emulation of 
the math unit, it should advance the return 
pointer beyond the floating point instruction 
that caused NM. 


#NP 11 Not Present (Selector Error Code) 


This exception occurs when CS, DS, ES, or 
the Task Register is loaded with a descriptor 
that is marked not present but is otherwise 
valid. It can occur in an LLDT instruction, 
but the #NP exception will not occur if the 
processor attempts to load the LDT register 
during a task switch. A not-present LDT 
encountered during a task switch causes the 
#TS exception. 


The error code passed is the selector of the 
descriptor that is marked not present. 
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Typically, the Not Present exception handler 


is used to implement a virtual memory system. 


The operating system can swap inactive 
memory segments to a mass-storage device 
such: as a disk. Applications programs need 
not be told about this; the next time they 
attempt to access the swapped-out memory 
segment, the Not Present handler will be 
invoked, the segment will be brought back into 
memory, and the offending instruction within 
the applications program will be restarted. 


If #NP is detected on loading CS, DS, or ES 
in a task switch, the exception occurs in the 
new task, and the IRET from the exception 
handler jumps directly to the next instruction 
in the new task. 


The Not Present exception handler must 
contain special code to complete the loading 
of segment registers when #NP is detected in 
loading the CS or DS registers in a task 


switch and a trap or interrupt gate was used. 


The DS and ES registers have been loaded 
but their descriptors have not been loaded. 
Any memory reference using the segment 
register may cause exception 13. The #NP 
exception handler should execute code such 
as the following to ensure full loading of the 
segment registers: a 


MOV AX,DS 
MOV DS,AX 
MOV AX,ES 
MOV ES,AX 


#SS 12 Stack Fault (Selector or Zero 
_ Error Code) 


This exception is generated when a limit 
violation is detected in addressing through the 
SS register. It can occur on stack-oriented 
instructions such as PUSH or POP, as well 
as other types of memory references using SS 
such as MOV AX,| BP+ 28]. It also can occur 
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on an ENTER instruction when there is not 
enough space on the stack for the indicated 
local variable space, even if the stack excep- 
tion is not triggered by pushing BP or copying 
the display stack. A stack exception can 
therefore indicate a stack overflow, a stack 
underflow or a wild offset. The error code will 
be zero. 


#SS is also generated on an attempt to load 
SS with a descriptor that is marked not 
present but is otherwise valid. This can occur 
in a task switch, an inter-level call, an inter- 
level return, a move to the SS instruction or 
a pop to the SS instruction. The error code 
will be non-zero. 


#SS is never generated when addressing 
through the DS or ES registers even if the 
offending register points to the same segment 
as the SS register. | 


The #SS exception handler must contain 
special code to complete the loading of 
segment registers. The DS and ES registers 
will not be fully loaded if a not-present 
condition is detected while loading the SS 
register. Therefore, the #SS exception handler 
should execute code such as the following to 
insure full loading of the segment registers: 


MOV AX,DS 
MOV DS,AX 
MOV AX,ES 
MOV ES,AX 


Generally, the instruction causing #SS can be 
restarted, but there is one special case when 
it cannot: when a PUSHA or POPA instruc- 
tion attempts to wrap around the 64K bound- 
ary of a stack segment. This condition is 
identified by the value of the saved SP, which 
can be either OOOOH, 0001H, OFFFEH, or 
OFFFFH. © 
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#TS 10 Invalid Task State Segment 
(Selector Error Code) 


This exception is generated when a task state 
segment is invalid, that is, when a task state 
segment is too small; when the LDT indicated 
in a TSS is invalid or not present; when the 
SS, CS, DS, or ES indicated in a TSS are 
invalid (task switch); when a TSS indicated 
an invalid privileged stack (inter-level call); 
or when the back link in a TSS is invalid 
(inter-task IRET). 


#TS is not generated when the SS, CS, DS, 
or ES back link or privileged stack selectors 
point to a descriptor that is not present but 
otherwise is valid. 4NP is generated in these 
cases. 


The error code passed to the exception handler 
contains the selector of the offending segment, 
which can either be the Task State Segment 
itself, or a selector found within the Task 
State Segment. 


The instruction causing #TS can be restarted. 
#TS must be handled through a task gate. 


#UD 6 Undefined Opcode (No Error Code) 


This exception is generated when an invalid 
operation code is detected in the instruction 
stream. Following are the cases in which #UD 
can occur: 


1. The first byte of an instruction is 
completely invalid (e.g., 64H). 


2. The first byte indicates a 2-byte opcode 
and the second byte is invalid (e.g., OFH 
followed by OFFH). 


3. An invalid register is used with an other- 
wise valid opcode (e.g., MOV CS,AX). 


4. An invalid opcode extension is given in 
the REG field of the ModRM byte (e.g., 
OF6H /1). 


5. A register operand is given in an instruc- 
tion that requires a memory operand 
(e.g., LGDT AX). | 


Since the offending opcode will always be 
invalid, it cannot be restarted. However, the 
#UD handler might be coded to implement 
an extension of the iAPX 286 instruction set. 
In that case, the handler could advance the 


return pointer beyond the extended instruc- 


tion and return control to the program after 
the extended instruction is emulated. Any 
such extensions may be incompatible with 
LAPX 386. 


Privilege Level and Task Switching on 
the iAPX 286 | 


The iAPX 286 supports many of the functions 
necessary to implement a protected, multi- 
tasking operating system in hardware. This 
support is provided not by additional instruc- 
tions, but by extension of the semantics of 
iAPX 86/88 instructions that change the 
value of CS:IP. 


Whenever the iAPX 286 performs an inter- 
segment jump, call, interrupt, or return, it 
consults the Access Rights (AR) byte found 
in the descriptor table entry of the selector 
associated with the new CS value. The AR 
byte determines whether the long jump being 
made is through a gate, or is a task switch, or 
is a simple long jump to the same privilege 
level. Table B-3 lists the possible values of the 
AR byte. The “‘privilege” headings at the top 
of the table give the Descriptor Privilege 
Level, which is referred to as the DPL within 
the instruction descriptions. 


Each of the CALL, INT, IRET, JMP, and 
RET instructions contains on its instruction 
set pages a listing of the access rights 
checking and actions taken to implement 
the instruction. Instructions involving 
task switches contain the symbol 
SWITCH_TASKS, which is an abbreviation 
for the following list of checks and actions: 
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SWITCH_TASKS: 
Locked set AR byte of new TSS descriptor to Busy TSS (Bit 1 = 1) 
Current TSS cache must be valid with limit = 43 else #TS (error code will be new TSS, but back link pe 
at old TSS) 
New TSS limit = 43 else #TS (new TSS) 
Save machine state in current TSS 
If nesting tasks, set the new TSS link to the current TSS selector 
Any exception will be in new context Else set the AR byte of current TSS 
descriptor to Available TSS (Bit 1 = 0) 
Set the current TR to selector, base, and limit of new TSS 
Set all machine registers to values from new TSS without loading Coenen for DS, ES, CS, SS, LDT 
Clear valid flags for LDT,SS,CS,DS,ES (not valid yet) 
Set the Task Switched flag to 1 
If nesting tasks, set the Nested Task flag to 1 
LDT from the new TSS must be within GDT table limits else #TS(LDT) 
AR byte from LDT descriptor must specify LDT segment else #TS(LDT) 
AR byte from LDT descriptor must indicate PRESENT else #TS(LDT) 
Load LDT cache with new LDT descriptor and set valid bit 
Set CPL to the RPL of the CS selector in the new TSS 
If new stack selector is null #TS(SS) 
SS selector must be within its descriptor table limits else #TS(SS) 
SS selector RPL must be equal to CPL else #TS(SS) 
DPL of SS descriptor must equal CPL else #TS(SS) 
SS descriptor AR byte must indicate writable data segment else #TS(SS) 
SS descriptor AR byte must indicate PRESENT else #SS(SS) 
Load SS cache with new stack segment and set valid bit 
New CS selector must not be null else #TS(CS) 
CS selector must be within its descriptor table limits else #TS(CS) 
CS descriptor AR byte must indicate code segment else #TS(CS) 
If non-conforming then DPL must equal CPL else #TS(CS) 
If conforming then DPL must be = CPL else #TS(CS) 
CS descriptor AR byte must indicate PRESENT else #NP(CS) 
Load CS cache with new code segment descriptor and set valid bit 
For DS and ES: 
If new selector is not null then perform following checks: 
Index must be within its descriptor table limits else #TS(segment selector) 
AR byte must indicate data or readable code else #TS(segment Seeley) 
If data or non-conforming code then: 
- DPL must be = CPL else #TS(segment selector) 
DPL must be = RPL else #TS(segment selector) 
AR byte must indicate PRESENT else #NP(segment selector) — 
Load cache with new segment descriptor and set valid bit 


B-12 


THE IAPX 286 INSTRUCTION SET 


Table B-3. Hexadecimal Values for the Access Rights Byte 


Not present, Present, 
privilege= privilege= Descriptor Type 


Illegal 

Available Task State Segment 

Local Descriptor Table Segment 

Busy Task State Segment 

Call Gate 

Task Gate 

Interrupt Gate 

Trap Gate 

Illegal 

Illegal 

Illegal 

Illegal 

Illegal 

Illegal 

Illegal 

Illegal Peg 

Expand-up, read only, ignored Data Segment 
Expand-up, read only, accessed Data Segment 
Expand-up, writable, ignored Data Segment 
Expand-up, writable, accessed Data Segment 
Expand-down, read only, ignored Data Segment | 
Expand-down, read only, accessed Data Segment 
Expand-down, writable, ignored Data Segment 
Expand-down, writable, accessed Data Segment 
Non-conform, no read, ignored Code Segment 
Non-conform, no read, accessed Code Segment 
Non-conform, readable, ignored Code Segment 
Non-conform, readable, accessed Code Segment 
Conforming, no read, ignored Code Segment 
Conforming, no read, accessed Code Segment 
Conforming, readable, ignored Code Segment 
Conforming, readable, accessed Code Segment 
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AAA—ASCII Adjust AL After Addition 


Instruction Clocks 


Opcode 


37 AAA 3 


FLAGS MODIFIED 
Auxiliary carry, carry 


FLAGS UNDEFINED 
Overflow, sign, zero, parity 


OPERATION 


AAA should be executed only after an ADD 
instruction which leaves a byte result in the 
AL register. The lower nibbles of the operands 
to the ADD instruction should be in the range 
0 through 9 (BCD digits). In this case, the 
AAA instruction will adjust AL to contain the 
correct decimal digit result. If the addition 
produced a decimal carry, the AH register is 
incremented, and the carry and auxiliary 
carry flags are set to 1. If there was no 
decimal carry, the carry and auxiliary carry 
flags are set to 0, and AH is unchanged. In 


Description 


ASCII adjust AL after addition 


any case, AL is left with its top nibble set to 
0. To convert AL to an ASCII result, you can 


follow the AAA instruction with OR AL,30H. 


_ The precise definition of AAA is as follows: 
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if the lower 4 bits of AL are greater than nine, 
or if the auxiliary carry flag is 1, then incre- 
ment AL by 6, AH by 1, and set the carry 
and auxiliary carry flags. Otherwise, reset the 
carry and auxiliary carry flags. In any case, 
conclude the AAA operation by setting the 
upper four bits of AL to zero. 


PROTECTED MODE EXCEPTIONS 
None 


REAL ADDRESS MODE EXCEPTIONS 
None 
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AAD—ASCII Adjust AX Before Division 


Instruction Clocks 


AAD 14 


Description 


ASCIi adjust AX before division 


FLAGS MODIFIED 
Sign, zero, parity 


FLAGS UNDEFINED 
Overflow, auxiliary carry, carry 


OPERATION 


AAD is used to prepare two unpacked BCD 
digits (least significant in AL, most signifi- 
cant in AH) for a division operation which 
will yield an unpacked result. This is accom- 


plished by setting AL to AL + (10 X AH), 
and then setting AH to 0. This leaves AX 
equal to the binary equivalent of the original 
unpacked 2-digit number. 


PROTECTED MODE EXCEPTIONS 
None 


REAL ADDRESS MODE EXCEPTIONS 
None 
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AAM—ASCII Adjust AX After Multiply 


| Clocks 


Instruction 


AAM 16 


Description 


ASCIl adjust AX after multiply 


FLAGS MODIFIED 
Sign, zero, parity 


FLAGS UNDEFINED 7 
Overflow, auxiliary carry, carry 


OPERATION 


AAM should be used only after executing a 
MUL instruction between two unpacked BCD 
digits, leaving the result in the AX register. 


Since the result is less than one hundred, it 1s. 
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contained entirely in the AL register. AAM 
unpacks the AL result by dividing AL by ten, 
leaving the quotient (most significant digit) 
in AH, and the remainder (least stenican 
digit) in AL. . 


PROTECTED MODE EXCEPTIONS 
None 


REAL ADDRESS MODE EXCEPTIONS 
None 
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AAS—ASCII Adjust AL After Subtraction 


Opcode Instruction Clocks 


3F AAS 3 


FLAGS MODIFIED 
Auxiliary carry, carry 


FLAGS UNDEFINED 
Overflow, sign, zero, parity 


OPERATION 


AAS should be executed only after a subtrac- 
tion instruction which left the byte result in 
the AL register. The lower nibbles of the 
operands to the SUB instruction should have 
been in the range 0 through 9 (BCD digits). 
In this case, the AAS instruction will adjust 
AL to contain the correct decimal digit result. 
If the subtraction produced a decimal carry, 
the AH register is decremented, and the carry 
and auxiliary carry flags are set to 1. If there 
was no decimal carry, the carry and auxiliary 
carry flags are set to 0, and AH is unchanged. 
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Description 


ASCII adjust AL after subtraction 


In any case, AL is left with its top nibble set 
to 0. To convert AL to an ASCII result, you 
can follow the AAS instruction with 
OR AL,30H. 


The precise definition of AAS is as follows: if 
the lower four bits of AL are greater than 9, 
or if the auxiliary carry flag is 1, then decre- 
ment AL by 6, AH by 1, and set the carry 
and auxiliary carry flags. Otherwise, reset the 
carry and auxiliary carry flags. In any case, 
conclude the AAS operation by setting the 
upper four bits of AL to zero. 


PROTECTED MODE EXCEPTIONS 
None 


REAL ADDRESS MODE EXCEPTIONS 
None 


ADC /ADD— Integer Addition 


Instruction 


ADC 
ADC 
ADC 
ADC 
ADC 
ADC 
ADC 


FLAGS MODIFIED 


eb,rb 
ew, rw 
rb,eb 
rw,ew 
AL,db 
AX,dw 
eb,db 
ew,dw 
ew,db 
eb,rb 
ew, rw. 
rb,eb 
rw,ew 


AL,db 


AX,dw 
eb,db 

ew,dw 
ew,db 


Clocks 


2,mem=7 
2,mem=7 
2,mem=7 
2,mem=7 
3 

3 

3,mem=7 
3,mem=7 
3,mem=7 
2,mem=7 


2,mem=7 


2,mem=7 
2,mem=7 
3 

3 

3,mem=7 
3,mem=7 
3,mem=7 


Overflow, sign, zero, auxiliary carry, pay, 


carry 


FLAGS UNDEFINED 
None 


OPERATION 


ADD and ADC perform an integer addition 
on the two operands. The ADC instruction 
also adds in the initial state of the carry flag. 
The result of the addition goes to the first 
operand. ADC is usually executed as part of 


a multi-byte or 
operation. 


multi-word 


addition 
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Description 


Add with carry byte register into EA byte 

Add with carry. word register into EA word 
Add with carry EA byte into byte register 

Add with carry EA word into word register. 
Add with carry immediate byte into AL 

Add with carry immediate word into AX 

Add with carry immediate byte into EA byte 
Add with carry immediate word into EA word | 
Add with carry immediate byte into EA word 
Add byte register into EA byte 
Add word register into EA word 

Add EA byte into byte register 

Add EA word into word register . 

Add immediate byte into AL 

Add immediate word into AX 

Add immediate byte into EA byte 

Add immediate word into EA word 

Add immediate byte into EA word 


When a byte immediate value is added to a 
word Sars the immediate va is first © 
sign-extended. 


PROTECTED MODE EXCEPTIONS | 

#GP(0) if the result is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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AND—Logical AND 


Instruction Clocks 


AND 
AND 
AND 
AND 
AND 
AND 
AND 
AND 


eb,rb 
ew, rw 


2,mnem=7 
2,mem=7 
rb,eb 2,mem=7 
rw,ew 2,mem=7 
AL,db 3 

AX,dw 3 

eb,db 3,mem=7 
ew,dw 3,;mem=7 


FLAGS MODIFIED 
Overflow=0, sign, zero, parity, carry =0 


FLAGS UNDEFINED 
Auxiliary carry 


OPERATION 
Each bit of the result is a 1 if both corre- 
sponding bits of the operands were 1; it is 0 
otherwise. 


Description 


Logical-AND byte register into EA byte 
Logical-AND word register into EA word 
Logical-AND EA byte into byte register 


Logical-AND EA word into word register 
Logical-AND immediate byte into AL | 
Logical-AND immediate word into AX 
Logical-AND immediate byte into EA byte 
Logical-AND immediate word into EA word 


PROTECTED MODE EXCEPTIONS 

#GP(0) if the result is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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ARPL— Adjust RPL Field of Selector 


Opcode instruction Clocks 


ARPL ew,rw 


63 /r 


FLAGS MODIFIED — 
Zero 


FLAGS UNDEFINED 
None 


OPERATION 


The ARPL instruction has two operands. The 
first operand is a 16-bit memory variable or 
word register that contains the value of a 
selector. The second operand is a word regis- 
ter. If the RPL field (bottom two bits) of the 
first operand is less than the RPL field of the 
second operand, then the zero flag is set to 1 
and the RPL field of the first operand is 
increased to match the second RPL. Other- 
wise, the zero flag is set to 0 and no change 
is made to the first operand. 


10,mem=11 
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Description | 


Adjust RPL of EA word not less than RPL of 
rw | 


ARPL appears in operating systems software, 
not in applications programs. It is used to 
guarantee that a selector parameter to a 
subroutine does not request more privilege 
than the caller was entitled to. The second 
operand used by ARPL would normally be a 
register that contains the CS selector value of 
the caller. | 


PROTECTED MODE EXCEPTIONS 

#GP(0) if the result is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 6. ARPL is not recognized in Real 
Address mode. 
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BOUND—Check Array Index Against Bounds 


Instruction Clocks 


BOUND rw,md noj=13 


Description 


INT 5 if rwnot within bounds 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 


BOUND is used to ensure that a signed array 
index is within the limits defined by a two- 
word block of memory. The first operand (a 
register) must be greater than or equal to the 
first word in memory, and less than or equal 


to the second word in memory. If the register. 


is not within the bounds, an INTERRUPT 5 
occurs. 


The two-word block might typically be found 
just before the array itself and therefore would 


be accessible at a constant offset of —4 from 


the array, simplifying the addressing. 
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PROTECTED MODE EXCEPTIONS 

INTERRUPT 5 if the bounds test fails, as 
described above. #GP(0) for an illegal 
memory operand effective address in the CS, 
DS, or ES segments; #SS(0) for an illegal 
address in the SS segment. | 


The second operand must be a memory 
operand, not a register. If the BOUND 


instruction is executed with a ModRM byte 


representing a register second operand, then 
fault ZUD will occur. 


REAL ADDRESS MODE EXCEPTIONS 
INTERRUPT 5 if the bounds test fails, as 
described above. Interrupt 13 for a second 
operand at offset OFFFDH or higher. Inter- 
rupt 6 if the second operand is a register, as 
described in the paragraph above. — 
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CALL—Call Procedure © 


Clocks’ 


Instruction 


CALL 
CALL 
CALL 
CALL 
CALL 
CALL 
CALL 
CALL 
CALL 
CALL 
CALL 
CALL 
CALL 
CALL 


cw. a 7. 
ew 


41 

82 
86+4X 
177. 
182 


7,mem=11 
13,pm=26 


16,mem=29 


Description 


Call near, offset relative to next instruction 
Call near, offset absolute at EA word 

Call inter-segment, immediate 4-byte address 
Call gate, same privilege | 
Call gate, more privilege, no parameters 

Call gate, more privilege, X parameters 

Cail via Task State Segment 

Call via task gate 

Call inter-segment, address at EA doubleword 
Call gate, same privilege : 
Call gate, more privilege, no parameters 

Call gate, more privilege, X parameters 

Call via Task State Segment 

Call via task gate 


*Add one clock for each byte in the next instruction executed. 


FLAGS MODIFIED 
None, except when a task switch occurs 


FLAGS peepee 
None 


OPERATION 


The CALL instruction causes the procedure 
named in the operand to be executed. When 
the procedure is complete (a return instruc- 
tion is executed within the procedure), execu- 
tion continues at the instruction that follows 
the CALL instruction. 


The CALL cw form of the instruction adds 
modulo 65536 (the 2-byte operand) to the 
offset of the instruction following the CALL 
and sets IP to the resulting offset. The 2-byte 
offset of the instruction that follows the 
CALL is pushed onto the stack. It will be 
popped by a near RET instruction within the 
procedure. The CS register is not changed by 
this form. 


The CALL ew form of the instruction is the 


same as CALL cw except that the operand 


specifies a memory location from which the 
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Secaliits 2. byte offset for the procedure is 
fetched. 


The CALL cd form of the instruction uses the 


_ 4-byte operand as a pointer to the procedure 


called. The CALL ed form fetches the long 
pointer from the memory location specified. 
Both long pointer forms consult the AR byte 
in the descriptor indexed by the selector part 
of the long pointer. The AR byte can indicate 
one of the following descriptor types: 


1. Code Segment—tThe access rights are 
checked, the return pointer is pushed onto 
the stack, and the procedure is jumped 
to. 


2. Call Gate—The offset part of the pointer 
is ignored. Instead, the entire address of 
the procedure is taken from the call gate 
descriptor entry. If the routine being 
entered is more privileged, then a new 
stack (both SS and SP) is loaded from 
the task state segment for the new privi- 
lege level, and parameters determined by 
the wordcount field of the call gate are 
copied from the old stack to the new 
stack. | 


THE iAPX 286 INSTRUCTION SET 


3. Task Gate—The current task’s context 1s For long calls involving no task switch, the 
saved in its Task State Segment (TSS), return link is the pointer of the instruction 
and the TSS named in the task-gate is that follows the CALL, 1.e., the caller’s CS 
used to load the new context. The selec- and updated IP. Task switches invoked by 
tor for the outgoing task (from TR) is CALLs are linked by storing the outgoing 
stored into the new TSS’s link field, and task’s TSS selector in the incoming TSS’s link 
the new task’s Nested Task flag is set. field and setting the Nested Task flag in the 
The outgoing task is left marked busy, the new task. Nested tasks must be terminated by 
new TSS is marked busy, and execution an IRET. IRET releases the nested task and 
resumes at the point at which the new follows the back link to the calling task if the 
task was last suspended. NT flag is set. 

4. Task State Segment—The current task is 
suspended and the new task initiated as A precise list of the protection checks made 
in 3 above except that there is no inter- and the actions taken is given by the follow- 
vening gate. ing list: 

CALL FAR: 


If indirect then check access of EA doubleword #GP(0) if limit violation 

New CS selector must not be null else #GP(0) 

Check that new CS selector index is within its descriptor table limits; else #GP (new CS selector) 
Examine AR byte of selected descriptor for various legal values: 


CALL CONFORMING CODE SEGMENT: 
DPL must be = CPL else #GP (code segment selector) 
Segment must be PRESENT else #NP (code segment selector) 
Stack must be big enough for return address else #SS(0) 
IP must be in code segment limit else #GP(0) 
Load code segment descriptor into CS cache 
Load CS with new code segment selector 
Load IP with new offset 


CALL NONCONFORMING CODE SEGMENT: 
RPL must be < CPL else #GP (code segment selector) 
DPL must be = CPL else #GP (code segment selector) 
Segment must be PRESENT else #NP (code segment selector) 
Stack must be big enough for return address else #SS(0) 
IP must be in code segment limit else #GP(0) 
Load code segment descriptor into CS cache 
Load CS with new code segment selector 
Set RPL of CS to CPL 
Load IP with new offset 


CALL TO CALL GATE: 

Call gate DPL must be = CPL else #GP (call gate selector) 

Call gate DPL must be = RPL else #GP (call gate selector) 

Call gate must be PRESENT else #NP (call gate selector) 

Examine code segment selector in call gate descriptor: 
Selector must not be null else #GP(0) 
Selector must be within its descriptor table limits else #GP (code segment selector) 
AR byte of selected descriptor must indicate code segment else #GP (code segment selector) 
DPL of selected descriptor must be < CPL else #GP( code segment selector) 
If non-conforming code segment and DPL < CPL then 


CALL GATE TO MORE PRIVILEGE: 
Get new SS selector for new privilege level from TSS 
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Check selector and descriptor for new SS: 
Selector must not be null else #TS(0) 


Selector index must be within its descriptor table limits else #TS (SS selector) 
Selector’s RPL must equal DPL of code segment else #TS (SS selector) 
Stack segment DPL must equal DPL of code segment else #TS (SS selector) 
Descriptor must indicate writable data segment else #TS (SS selector) 


Segment PRESENT else #SS (SS selector) 


- New stack must have room for parameters plus 8 bytes else #SS(0) 
IP must be in code segment limit else #GP(0) 


Load new SS:SP value from TSS. 
Load new CS:IP value from gate 
Load CS descriptor 

- Load SS descriptor 


Push long pointer of old stack onto new stack 
Get word count from call gate, mask to 5 bits 


Copy parameters from old stack onto new stack 


Push return address onto new stack 
Set CPL to stack segment DPL 
Set RPL of CS to CPL... 
Else — | 
CALL GATE TO SAME PRIVILEGE: 


Stack must have room for 4-byte return address else #SS(0) 
_ IP must be in code segment limit else #GP(0) 


Load CS:IP from gate 
Push return address onto stack 


Load code segment descriptor into CS- cache - 


Set RPL of CS to CPL 
CALL TASK GATE: 


Task gate DPL must be = CPL else #GP (gate selector) 

Task gate DPL must be = RPL else #GP (gate selector) 

Task Gate must be PRESENT else #NP (gate selector) © 

Examine selector to TSS, given in Task Gate descriptor: _ 

_ Must specify global in the local/global bit else #GP (TSS selection): 

Index must be within GDT limits else #GP (TSS selector) : 
TSS descriptor AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector) 
Task State Segment must be PRESENT else #NP (TSS pease 


SWITCH_TASKS with nesting to TSS 


IP must be in code segment limit else a 


TASK STATE SEGMENT: 


TSS DPL must be = CPL else #GP (TSS selector) 
TSS DPL must be = RPL else #GP (TSS selector) 


TSS descriptor AR byte must specify available TSS else #GP (TSS selector) 
Task State Segment must be PRESENT else #NP (TSS selector) 


SWITCH_TASKS with nesting to TSS 


f 


IP must be in code segment limit else #GP(0) 


ELSE #GP (code segment selector) 


PROTECTED MODE EXCEPTIONS 


FAR calls: #GP, #NP, #SS, and #TS, as 
indicated in the list above. 


NEAR direct calls: #GP(0) if procedure 
location is beyond the code segment limits. 


NEAR indirect CALL: #GP(0) for an illegal 
-memory operand effective address in the CS, 
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DS, or ES segments; #SS(0) for an illegal 
address in the SS segment. #GP if the indirect 
offset obtained is beyond the code segment 
limits. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. ° | eB ens 
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CBW —cConvert Byte into Word 


Instruction Clocks Description 

CBW 2 Convert byte into word (AH = top bit of AL) 
FLAGS MODIFIED signed word in AX. It does so by extending 
None the top bit of AL into all of the bits of AH. 
FLAGS UNDEFINED PROTECTED MODE EXCEPTIONS 
None None 
OPERATION REAL ADDRESS MODE EXCEPTIONS 
CBW converts the signed byte in AL to a None 
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CLC—clear Carry Flag 


Opcode Instruction Clocks Description 

F8 CLC 2 Clear carry flag 
FLAGS MODIFIED 7 is PROTECTED MODE EXCEPTIONS 
Carry=0 7 None 
FLAGS UNDEFINED | ? REAL ADDRESS MODE EXCEPTIONS 
None None 
OPERATION 


CLC sets the carry flag to zero. No other flags 
or registers are affected. 
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CLD—Clear Direction Flag 


Opcode Instruction Clocks 


FC CLD 2 


FLAGS MODIFIED 
Direction=0 


FLAGS UNDEFINED 
None 


OPERATION 
CLD clears the direction flag. No other flags 
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Description 


Clear direction flag, SI and DI will increment 


or registers are affected. After CLD is 
executed, string operations will increment the 
index registers (SI and/or DI) that they use. 


PROTECTED MODE EXCEPTIONS 
None 


REAL ADDRESS MODE EXCEPTIONS 
None 
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CLI—Cclear Interrupt Flag 


Opcode Instruction Clocks 


Description 


FA CLi 3 


FLAGS MODIFIED 
Interrupt =0 


FLAGS UNDEFINED 
None 


OPERATION 

CLI clears the interrupt enable flag if the 
current privilege level is at least as privileged 
as IOPL. No other flags are affected. Exter- 
nal interrupts will not be recognized at the 
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Clear interrupt flag; interrupts disabled 


end of the CLI instruction or thereafter until 
the interrupt flag is set. | - 


PROTECTED MODE EXCEPTIONS. . ; | 
#GP(0) if the current privilege level is bigger 
(has less privilege) than the IOPL in the flags 
register. IOPL specifies the least privileged 
level at which I/O may be performed. 


REAL ADDRESS MODE EXCEPTIONS 
None 


THE iAPX 286 INSTRUCTION SET 


CLTS—Clear Task Switched Flag 


Instruction Clocks 


CLTS 2 


Description 


FLAGS MODIFIED 
Task switched =0 


FLAGS UNDEFINED 
None 


OPERATION 


CLTS clears the task switched flag in the 
Machine Status Word. This flag is set by the 
iAPX 286 every time a task switch occurs. 
The TS flag is used to manage processor 
extensions as follows: every execution of a 
WAIT or an ESC instruction will be trapped 
if the MP flag of MSW is set and the task 
switched flag is set. Thus, if a processor 
extension is present and a task switch has been 
made since the last ESC instruction was 
begun, the processor extension’s context must 
be saved before a new instruction can be 
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Clear task switched flag 


issued. The fault routine will save the context 
and reset the task switched flag or place the 
task requesting the processor extension into a 
queue until the current processor extension 
instruction is completed. 


CLTS appears in operating systems software, 
not in applications programs. It is a privi- 
leged instruction that can only be executed at 
level 0. 


PROTECTED MODE EXCEPTIONS 


#GP(0) if CLTS is executed with a current 
privilege level other than 0. 


REAL ADDRESS MODE EXCEPTIONS 


None (valid in REAL ADDRESS MODE to 
allow power-up initialization for Protected 
Mode) 
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CMC—Complement Carry Flag 


Opcode Instruction Clocks Description 


F5 CMC | 2 Complement carry flag 
FLAGS MODIFIED | | PROTECTED MODE EXCEPTIONS 
Carry None 
FLAGS UNDEFINED | REAL ADDRESS MODE EXCEPTIONS 
None 3 None 
OPERATION 


CMC reverses the setting of the carry flag. 
No other flags are affected. 


B-30 


THE IAPX 286 INSTRUCTION SET 


CMP—Compare Two Operands 


Instruction Clocks 


CMP 
CMP 
CMP 
CMP 
CMP 
CMP 
CMP 
CMP 
CMP 


AL,db 
AX,dw 
eb,db 
eb,rb 
ew,db 
ew,dw 
ew, rw 
rb,eb 
rw,ew 


FLAGS MODIFIED 


Overflow, sign, zero, auxiliary carry, parity, 
carry 


FLAGS UNDEFINED 
None 


OPERATION 


CMP subtracts the second operand from the 
first operand, but it does not place the result 
anywhere. Only the flags are changed by this 
instruction. CMP is usually followed by a 
conditional jump instruction. See the “Jcond”’ 
instructions in this chapter for the list of 
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Description 


Compare immediate byte from AL 
Compare immediate word from AX 
Compare immediate byte from EA byte 
Compare byte register from EA byte 
Compare immediate byte from EA word 
Compare immediate word from EA word 
Compare word register from EA word 
Compare EA byte from byte register 
Compare EA word from word register 


signed and unsigned flag tests provided by the 
iAPX 286. 


If a word operand is compared to an immedi- 
ate byte value, the byte value is first sign- 
extended. 


PROTECTED MODE EXCEPTIONS 


#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 


segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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CMPS/CMPSB/CMPSW—cCompare string operands | 


Instruction 


Clocks. 


CMPS mb,mb 8 
CMPSB.—s—Ci‘(ieB8étCtC; 
. CMPSW _ 8 


Description 


Compare bytes ES:[DI] from [SI] 
Compare bytes ES:[DI] from DS:[S1] 


FLAGS MODIFIED | 


Overflow, sign, zero, auxiliary carry, parity, 
carry 


FLAGS UNDEFINED 
None 


OPERATION 

CMPS compares the byte or word pointed ‘to 
by SI with the byte or word pointed to by DI 
by performing the subtraction [SI] — [DI]. 
The result is not placed anywhere; only the 
flags reflect the result of the subtraction. The 
types of the operands to CMPS determine 
whether bytes or words are compared. The 
segment addressability of the first (SI) 
operand determines whether a segment 
override byte will be produced or whether the 
default segment register DS is used. The 
second (DI) operand must be addressible from 
the ES register; no segment override iS 
possible. 
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Compare words ES:[Dl] from DS:[SI] 


After the comparison is made, both SI and 
DI are automatically advanced. If the direc- 
tion flag i is 0 (CLD was executed), the regis- 
ters increment; if the direction flag is 1 (STD. 
was executed), the registers decrement. The 
registers increment or decrement by lif a 
byte was moved; by 2 if a word was moved. — 


CMPS can be preceded by the REPE or 
REPNE prefix for block comparison of CX 
bytes or words. Refer to the REP instruction 
for details of this operation. 


PROTECTED MODE EXCEPTIONS 7 

#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. _ , | 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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CWD—Convert Word to Doubleword 


Instruction Clocks 


CWD 2 


Description 


Convert word to doubleword (DX:AX = AX) 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 


CWD converts the signed word in AX to a 
signed doubleword in DX:AX. It does so by 
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extending the top bit of AX into all the bits 
of DX. 


PROTECTED MODE EXCEPTIONS 
None 


REAL ADDRESS MODE EXCEPTIONS 
None 


_ THE IAPX 286 INSTRUCTION SET 
DAA—Decimal Adjust AL After Addition 


instruction « Clocks Description 


DAA G+ 4 Decimal adjust AL after addition 


FLAGS MODIFIED The precise definition of DAA is as follows: 

Sign, zero, auxiliary carry, parity, carry | 

1. If the lower 4 bits of AL are greater than 
nine, or if the auxiliary carry flag is 1, 
then increment AL by 6, and set the 


FLAGS UNDEFINED a 
auxiliary carry flag. Otherwise, reset the 


yey auxiliary carry flag. | = 
2. If AL is now greater. than 9FH, or if the 

Ssenana carry flag is set, then increment AL by 
, , 60H, and set the carry flag. Otherwise, 

DAA should be executed only after an ADD clear the carry flag. 

instruction which leaves a two-BCD-digit byte | 

result in the AL register. The ADD operands PROTECTED MODE EXCEPTIONS 

should consist of two packed BCD digits. In None 

this case, the DAA instruction will adjust AL 

to contain the correct two-digit packed REAL ADDRESS MODE EXCEPTIONS 

decimal] result. None 
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DAS—Decimal Adjust AL After Subtraction 


Opcode Instruction Clocks Description 


2F DAS 3 | Decimal adjust AL after subtraction 


FLAGS MODIFIED : The precise definition of DAS is as follows: 

Sign, zero, auxiliary carry, parity, carry 

1. If the lower four bits of AL are greater 
than 9, or if the auxiliary carry flag is 1, 
then decrement AL by 6, and set the 


FLAGS UNDEFINED mS 
auxiliary carry flag. Otherwise, reset the 


Overflow ae 
auxiliary carry flag. 
2. If AL is now greater than 9FH, or if the 
OPERATION carry flag is set, then decrement AL by 


60H, and set the carry flag. Otherwise, 


DAS should be executed only after a subtrac- clear the carry flag. 


tion instruction which leaves a two-BCD-digit 


byte result in the AL register. The operands PROTECTED MODE EXCEPTIONS 
should consist of two packed BCD digits. In None. 

this case, the DAS instruction will adjust AL 

to contain the correct packed two-digit REAL ADDRESS MODE EXCEPTIONS 
decimal result. None 
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DEC—Decrement by 1 


Clocks 


Instruction 


DEC eb 
DEC ew 
DEC rw 


2,mem=7 
‘2,mem=7 
2 


Description 


Decrement EA byte by 1 
Decrement EA word by 1 
Decrement word register by 1 


FLAGS MODIFIED 
Overflow, sign, zero, auxiliary carry, parity 


FLAGS UNDEFINED 
None 


OPERATION | 4 
1 is subtracted from the operand. Note that 
the carry flag is not changed by this instruc- 
tion. If you want the carry flag set, use the 
SUB instruction with a second operand of 1. 
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PROTECTED MODE EXCEPTIONS 

#GP(0) if the operand is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. | _ 
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DIV —Unsigned Divide 


Clocks 


Instruction 


Opcode 


Fe /6 
F7 6 


DIV eb 
DIV eW . 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 

Overflow, sign, zero, auxiliary carry, parity, 
carry 

OPERATION | 
DIV performs an unsigned divide. The 


dividend is implicit; only the divisor is given 


as an operand. If the source operand.is a 
BYTE operand, divide AX by the byte. The 
quotient is stored in AL, and the remainder 
is stored in AH. If the source. operand is a 
WORD operand, divide DX:AX by the word. 
The high-order 16 bits of the dividend are 
kept in DX. The quotient is stored in AX, and 


. 14,;mem=17 
| 22,mem=25 
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Description 


Unsigned divide AX by EA byte 
Unsigned divide DX:AX by EA word 


the remainder is stored in DX. Non-integral 


quotients are truncated towards 0. The 
remainder is always less than the dividend. 


PROTECTED MODE EXCEPTIONS 

Interrupt 0 if the quotient is too big to fit in 
the designated register (AL or AX), or if the 
divisor is zero. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 

Interrupt 0 if the quotient is too big to fit in 
the designated register (AL or AX), or if the 
divisor is zero. Interrupt 13 for a word 
operand at offset OFFFFH. 
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ENTER—Make Stack Frame for Procedure Parameters 


Instruction Clocks 


ENTER dw,0 11 
ENTER dw,1 15 
ENTER dw,db 12+4db 


Description 


Make stack frame for procedure parameters 
Make stack frame for procedure parameters 
Make stack frame for procedure parameters 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 


ENTER is used to create the- stack frame 
required by most block- structured high-level 
languages. The first operand specifies how 
many bytes of dynamic storage are to be 
allocated on the stack for the routine being 
entered. The second operand gives the lexical 
nesting level of the routine within the high- 
level-language source code. It determines how 
many stack frame pointers are copied into the 
new stack frame from the preceding frame. 
BP is used as the current stack frame pointer. 


If the second operand is 0, ENTER pushes 
BP, sets BP to SP, and subtracts the first 
operand from SP. 


For example, a procedure with 12 bytes of 
local variables would have an ENTER 12,0 
instruction at its entry point and a LEAVE 
instruction before every RET. The 12 local 


bytes would be addressed as negative offsets 
from [BP]. See also section 4.2. 


The formal definition of the ENTER instruc- 
tion for all cases is given by the following 
listing. LEVEL denotes the value of the 
second operand. 


LEVEL: =LEVEL MOD 32 
Push BP 
Set a temporary value FRAME_PTR := SP 
If LEVEL > 0 then . 
Repeat (LEVEL — 1) times: 
BP:=BP—2 | 
Push the word pointed to byt BP 
End repeat 
Push FRAME_PTR 
End if 
BP := FRAME_PTR 
SP := SP — first operand. 


PROTECTED MODE EXCEPTIONS 


#SS(0) if SP were to go outside of the stack 
limit within any part of the instruction 
execution. 


REAL ADDRESS MODE EXCEPTIONS 
None 
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HLT —Hait 


Instruction Clocks 


HLT 2 


Description 


Halt 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 

Successful execution of HLT causes the i1APX 
286 to cease executing instructions and to 
enter a HALT state. Execution resumes only 
upon receipt of an enabled interrupt or a reset. 
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If an interrupt is used to resume program 
execution after HLT, the saved CS:IP value 
will point to the instruction that follows HLT. 


PROTECTED MODE EXCEPTIONS 
HLT is a privileged instruction. #GP(0) if the 
current privilege level is not 0. 


REAL ADDRESS MODE EXCEPTIONS 
None 
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IDIV —Signed Divide 


Opcode Instruction Clocks 


6/7 IDIV eb 


IDIV ew _ 


F7 /7 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 


Overflow, sign, Zero, auxiliary carry, parity, 
carry 


OPERATION 


IDIV performs a signed divide. The dividend 
is implicit; only the divisor is given as an 
operand. If the source operand is a BYTE 
operand, divide AX by the byte. The quotient 
is stored in AL, and the remainder is stored 
in AH. If the source operand is a WORD 
operand, divide DX:AX by the word. The 
high-order 16 bits of the dividend are in DX. 
The quotient is stored in AX, and the 
remainder is stored in DX. Non-integral 


17,mem=20 
25,mem=28 _ 
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Description 


Signed divide AX by EA byte (AL=Quo, 
AH=Rem) 7 

Signed divide DX:AX by EA word (AX= =Quo, 
DX=Rem) 


quotients are truncated towards 0. The 
remainder has the same sign as the dividend 
and always has less magnitude than the 
dividend. 


PROTECTED MODE EXCEPTIONS 


Interrupt 0 if the quotient is too big to fit in 
the designated register (AL or AX), or if the 
divisor is 0. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 

Interrupt 0 if the quotient is too big to fit in 
the designated register (AL or AX), or if the 
divisor is 0. Interrupt 13 for a word operand 
at offset OFFFFH. 
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IMUL—Signed Multiply 


Instruction Clocks 


IMUL 
IMUL 
IMUL 
IMUL 
IMUL 


eb 

ew 

rw,db 
rw,ew,dw 
rw,ew,db 


13,mem=16 
21,mem= 24 
21,mem=24 
21,mem= 24 
21,mem= 24 


Description 


Signed multiply (AX = AL X EA byte) 

Signed multiply (DXAX = AX X EA word) 
Signed multiply imm. byte into word reg. 
Signed multiply (rw = EA word X imm. word) 
Signed multiply (rw = EA word X imm. byte) 


FLAGS MODIFIED 
Overflow, carry 


FLAGS UNDEFINED 
Sign, zero, auxiliary carry, parity 


OPERATION 

IMUL performs signed multiplication. If 
IMUL has a single byte source operand, then 
the source is multiplied by AL and the 16-bit 
signed result is left in AX. Carry and overflow 
are set to 0 if AH is a sign extension of AL; 
they are set to | otherwise. 


If IMUL has a single word source operand, 
then the source operand is multiplied by AX 
and the 32-bit signed result is left in DX:AX. 
DX contains the high-order 16 bits of the 
product. Carry and overflow are set to 0 if 
DX is a sign extension of AX; they are set to 
1 otherwise. | 


If IMUL has three operands, then the second 
operand (an effective address word) is multi- 
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plied by the third operand (an immediate 
word), and the 16 bits of the result are placed 
in the first operand (a word register). Carry 
and overflow are set to 0 if the result fits in a 
signed word (between — 32768 and +32767, 
inclusive); they are set to | otherwise. 


NOTE 


The low 16 bits of the product of a 16-bit 
signed multiply are the same as those of 
an unsigned multiply. The three operand 
IMUL instruction can be used for 
unsigned operands as well. 


PROTECTED MODE EXCEPTIONS 


#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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IN—Input from Port 


Opcode Instruction 
E4 
EC 
E5 
ED 


db ~ IN AL,db 
IN AL,DX 
-IN AX,db 


IN AX,DX 


db 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 


IN transfers a data byte or data word from 
the port numbered by the second operand into 
the register (AL or AX) given as the first 
operand. You can access any port from 0 to 
65535 by placing the port number in the DX 
register then using an IN instruction with DX 
as the second parameter. These I/O instruc- 
tions can be shortened by using an 8-bit port 
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Description 


Input byte from immediate port into AL 
Input byte from port DX into AL 

Input word from immediate port into AX 
Input word from port DX into AX 


I/O in the instruction. The upper 8 bits of the 
port address will be zero when an 8-bit port 
I/O is used. * 


Intel has reserved I/O port addresses OOF8H 
through OOFFH; they should not be used. _ 


PROTECTED MODE EXCEPTIONS 

#GP(0) if the current privilege level-is bigger 
(has less privilege) than IOPL, which is the 
privilege level found in the flags register. 


REAL ADDRESS MODE EXCEPTIONS 
None 
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INC —Increment by 1 


Opcode Instruction Clocks 


FE /0 
FF /0 
40+ rw 


INC eb 
INC ew 
INC rw 2 


FLAGS MODIFIED 
Overflow, sign, zero, auxiliary carry, parity 


FLAGS UNDEFINED 
None 


OPERATION 

1 is added to the operand. Note that the carry 
flag is not changed by this instruction. If you 
want the carry flag set, use the ADD instruc- 
tion with a second operand of 1. 


2,mem=7 
2,mem=7 
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Description 


Increment EA byte by 1 
Increment EA word by 1 
Increment word register by 1 


PROTECTED MODE EXCEPTIONS 

#GP(0) if the operand is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 7 
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INS /INSB/INSW —Input from Port to String 


Opcode Instruction 


INS eb,DX 
INS ew,DX 
INSB 
INSW 


Description 


Input byte from port DX into ES:[Dl]] 
Input word from port DX into ES:[DI] 
Input byte from port DX into ES:[Dl] 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 


INS transfers data from the input port 
numbered by the DX register to the memory 
byte or word at ES:DI. The memory operand 
must be addressable from the ES register; no 
segment override is possible. 


INS does not allow the specification of the 
port number as an immediate value. The port 
must be addressed through the DX register. 


After the transfer is made, DI is automati- 
cally advanced. If the direction flag is 0 (CLD 
was executed), DI increments; if the direction 
flag is 1 (STD was executed), DI decrements. 
DI increments or decrements by | if a byte 
was moved; by 2 if a word was moved. 


Input word from port DX into ES:[D1]] 


INS can be preceded by the REP prefix for 
block input of CX bytes or words. Refer to 
the REP instruction for details of this 
operation. . 


Intel has reserved I/O port addresses OOF8H 
through OOFFH; they should not be used. 


NOTE 


Not all input port devices can handle the 
rate at which this instruction transfers 
input data to memory. | 


PROTECTED MODE EXCEPTIONS 

#GP(0) if CPL > IOPL. #GP(0) if the desti- 
nation is in a non-writable segment. #GP(0) 
for an illegal memory operand effective | 
address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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INT /INTO—cCall to Interrupt Procedure 


Instruction Clocks") 


93(2) 
40 
78 
167 
93(2) 
40 
78 
167 


INT 3 
INT 3 
INT 3 
INT 3 
_INT db 
INT db 
INT db 
INT db. 
INTO 


24,noj=3") 


Description 


Interrupt 3 tea to Habiigeen 
Interrupt 3, protected mode, same privilege 
Interrupt 3, protected mode, more privilege 


Interrupt 3, protected mode, via task gate 
Interrupt numbered by immediate byte 
Interrupt, protected mode, same privilege 
Interrupt, protected mode, more privilege 
Interrupt, protected mode, via task gate 
Interrupt 4 if overflow flag is 1 


(1) = Add one clock for each byte of the next instruction executed. 


(2) = (real mode) 


FLAGS MODIFIED 

All if a task switch takes place; Trap Flag 
reset if no task switch takes place. Interrupt 
Flag is always reset in Real Mode, and reset 
in Protected Mode when INT references an 
interrupt gate. | 


FLAGS UNDEFINED 
None 


OPERATION 

The INT instruction generates via software a 
call to an interrupt procedure. The immedi- 
ate operand, from 0 to 255, gives the index 
number into the Interrupt Descriptor Table 
of the interrupt routine to be called. In 
protected mode, the IDT consists of 8-byte 
descriptors; the descriptor for the interrupt 
invoked must indicate an interrupt gate, a trap 
gate, or a task gate. In real address mode, the 
IDT is an array of 4-byte long pointers at the 
fixed location OOO00H. 


The INTO instruction is identical to the INT 
instruction except that the interrupt number 
is implicitly 4, and the interrupt is made only 
if the overflow flag of the iAPX 286 is on. 
The clock counts for the four forms of INT 


INTERRUPT 


db are valid for INTO, with the number of 
clocks increased by 1 for the overflow flag 
test. | 


The first 32 interrupts are reserved by Intel 


for systems use. Some of these interrupts are 


exception handlers for internally-generated 
faults. Most of these exception handlers 
should not be invoked with the INT 
instruction. | 


Generally, interrupts behave like far CALLs 
except that the flags register is pushed onto 
the stack before the return address. Interrupt 
procedures return via the IRET instruction, 
which pops the flags from the stack. 


In Real Address mode, INT pushes the flags, 
CS and the return IP onto the stack in that 
order, then resets the Trap Flag, then jumps 
to the long pointer indexed by the interrupt 
number, in the interrupt vector table. 


In Protected mode, INT also resets the Trap 
Flag. In Protected mode, the precise seman- 
tics of the INT instruction are given by the 
following: 


Interrupt vector must be within IDT table limits else #GP (vector number X 8+2+EXT) 
Descriptor AR byte must indicate interrupt gate, trap gate, or task gate else #GP (vector number X 8-+2+ EXT) 
If INT instruction then gate descriptor DPL must be = CPL else #GP (vector number X 8+2-+ EXT) 
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Gate must be PRESENT else #NP (vector number X 8+2+ EXT) 
If TRAP GATE or INTERRUPT GATE: | 
Examine CS selector and descriptor given in the gate descriptor: 
_ Selector must be non-null else #GP (EXT) 
- Selector must be within its descriptor table limits else #GP (selector+ EXT) 
Descriptor AR byte must indicate code segment else #GP (selector + EXT) 
Segment must be PRESENT else #NP (selector + EXT) 
If code segment is non-conforming and DPL < CPL then 
INTERRUPT TO INNER PRIVILEGE: | 
Check selector and descriptor for new stack in current Task State Segment: 
Selector must be non-null else #GP(EXT) 
Selector index must be within its descriptor table limits else #TS (SS selector + EXT) 
Selector’s RPL must equal DPL of code segment else #TS (SS selector+ EXT) 
Stack segment DPL must equal DPL of code segment else #TS (SS selector+ EXT) 
Descriptor must indicate writable data segment else #TS (SS selector+ EXT) 
Segment must be PRESENT else #SS (SS selector + EXT) 
New stack must have room for 10 bytes else #SS(0) 
IP must be in CS limit else #GP(0) 
Load new SS and SP value from TSS 
Load new CS and IP value from gate 
Load CS descriptor 
_ Load SS descriptor 
Push long pointer to old stack onto new stack 
Push return address onto new stack 
Set CPL to new code segment DPL 
Set RPL of.CS to CPL 
lf INTERRUPT GATE then set the Interrupts Enabled Flag to 0 (disabled) 
Set the Trap Flag to 0 
Set the Nested Task Flag to 0 
If code segment is conforming or code segment DPL = CPL then 
INTERRUPT TO SAME PRIVILEGE LEVEL: 
Current stack limits must allow pushing 6 bytes else #SS(0) 
If interrupt was caused by fault with error code then 
Stack limits must allow push of two more bytes else #SS(0) 
IP must be in CS limit else #GP(0) 
Push flags onto stack 
Push current CS selector onto stack 
Push return offset onto stack | 
Load CS:IP from gate 
Load CS descriptor 
Set the RPL field of CS to CPL 
Push error code (if any) onto stack 
If INTERRUPT GATE then set the Interrupts Enabled Flag to 0 (disabled) 
Set the Trap Flag to 0 
Set the Nested Task Flag to 0 


Else #GP (CS selector + EXT) 


If TASK GATE: 

Examine selector to TSS, given in Task Gate descriptor: 
Must specify global in the local/global bit else #GP (TSS selector) 
Index must be within GDT limits else #GP (TSS selector) 
AR byte must specify available TSS (bottom bits 00001) else #GP (TSS ecrecter) 
Task State Segment must be PRESENT else #NP (TSS selector) 

SWITCH_TASKS with nesting to TSS 

If interrupt was caused by fault with error code then 
Stack limits must allow push of two more bytes else #SS(0) 
Push error code onto stack 

IP must be in CS limit else #GP(0) 
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NOTE 


EXT is 1 if an external event (i.e., a single 
step, an external interrupt, an MF excep- 
tion, or an MP exception) caused the 
interrupt; 0 if not (.e., an INT instruc- 
tion or other exceptions). | 
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PROTECTED MODE EXCEPTIONS | | 
#GP, #NP, #SS, and #TS, as indicated in the 
list above. 


REAL ADDRESS MODE EXCEPTIONS 

None; the 80286 will shut down if the SP = 
1, 3, or 5 before executing the INT or INTO 
instruction—due to lack of stack space. 
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IRET —Interrupt Return 


Clocks’ 


Instruction 


~TRET | 17,pm=31 
 IRET : 99. 
169 


IRET 


Description 


Interrupt return (far return and pop flags) ; = 
Interrupt return, lesser privilege | 
Interrupt return, different task (NT=1) 


*Add one clock for each byte in the next instruction executed. 


FLAGS MODIFIED 
Entire flags register popped from stack 


FLAGS UNDEFINED 
None 


OPERATION 

In real address mode, IRET pops IP, CS, and 
FLAGS from the stack in that order, and 
resumes the interrupted routine. 


In protected mode, the action of IRET 
depends on the setting of the Nested Task 
Flag (NT) bit in the flag register. When 
popping the new flag image from the stack, 
note that the IOPL bits in the flag register 
are changed only when CPL=0. 
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If NT=0, IRET returns from an interrupt 
procedure without a task switch. The code 
returned to must be equally or less privileged 
than the interrupt routine as indicated by the 
RPL bits of the CS selector popped from the 
stack. If the destination code is of less privi- 
lege, IRET then also pops SP and SS from 
the stack. 


If NT=1, IRET reverses the operation of a 
CALL or INT that caused a task switch. The 
task executing IRET has its updated state 
saved in its Task State Segment. This means 
that if the task is re-entered, the code that 
follows IRET will be executed. | 


The exact checks and actions performed by 
IRET in protected mode are given on the 
following page. 
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INTERRUPT RETURN: 
If Nested Task Flag=1 then 
RETURN FROM NESTED TASK: 

Examine Back Link Selector in TSS addressed by the current Task Register: 
Must specify global in the local/global bit else #TS (new TSS selector) 
Index must be within GDT limits else #TS (new TSS selector) 
AR byte must specify TSS else #TS (new TSS selector) 
New TSS must be busy else #TS (new TSS selector) 
Task State Segment must be PRESENT else #NP (new TSS selector) 

SWITCH_TASKS without nesting to TSS specified by back link selector 

Mark the task just abandoned as NOT BUSY 

IP must be in code segment limit else #GP(0) 


If Nested Task Flag=0 then 
INTERRUPT RETURN ON STACK: 
Second word on stack must be within stack limits else #SS(0) 
Return CS selector RPL must be = CPL else #GP (Return selector) 
If return selector RPL = CPL then 
INTERRUPT RETURN TO SAME LEVEL: 
Top 6 bytes on stack must be within limits else #SS(0) 
Return CS selector (at SP +2) must be non-null else #GP(0) 
Selector index must be within its descriptor table limits else #GP( Return selector) 
AR byte must indicate code segment else #GP (Return selector) 
If non-conforming then code segment DPL must = CPL else #GP (Return selector) 
If conforming then code segment DPL must be = CPL else #GP (Return selector) 
Segment must be PRESENT else #NP (Return selector) 
IP must be in code segment limit else #GP(0) 
Load CS:IP from stack | 
Load CS-cache with new code segment descriptor 
Load flags with third word on stack 
Increment SP by 6 
Else 
INTERRUPT RETURN TO OUTER PRIVILEGE LEVEL: 
Top 10 bytes on stack must be within limits else #SS(0) 
Examine return CS selector (at SP+2) and associated descriptor: 
Selector must be non-null else #GP(0) 
Selector index must be within its descriptor table limits else #GP (Return selector) 
AR byte must indicate code segment else #GP (Return selector) 
If non-conforming then code segment DPL must = CS selector RPL else #GP (Return selector) 
If conforming then code segment DPL must be > CPL else #GP (Return selector) 
Segment must be PRESENT else #NP (Return selector) 
Examine return SS selector (at SP +8) and associated descriptor: 
Selector must be non-null else #GP(0) 
Selector index must be within its descriptor table limits else #GP (SS selector) 
Selector RPL must equal the RPL of the return CS selector else #GP (SS selector) 
AR byte must indicate a writable data segment else #GP (SS selector) 
Stack segment DPL must equal the RPL of the return CS selector else #GP (SS selector) 
SS must be PRESENT else #NP (SS selector) 
IP must be in code segment limit else #GP(0) 
Load CS:IP from stack 
Load flags with values at (SP +4) 
Load SS:SP from stack 
Set CPL to the RPL of the return CS selector 
Load the CS-cache with the CS descriptor 
Load the SS-cache with the SS descriptor 
For each of ES and DS: | 
If the current register setting is not valid for the outer level, then zero the register and 
clear the valid flag 
To be valid, the register setting must satisfy the following properties: 
Selector index must be within descriptor table limits 
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AR byte must indicate data or readable code segment 
If segment is data or non-conforming code, then: 

DPL must be = CPL, or 

DPL must be = RPL. 


PROTECTED MODE EXCEPTIONS REAL ADDRESS MODE EXCEPTIONS | 


#GP, #NP, or #SS, as indicated inthe above _—sInterrupt 13 if the stack is poe when it 
listing. has offset ore 
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Jcond—Jump Short If Condition Met 


Instruction 


JA cb 
JAE cb 
JB cb 
JBE cb 
JC cb 
JCXZ cb 
JE cb 
JG cb 
JGE cb 
JL cb 
JLE cb 
JNA cb 
JNAE cb 
JNB cb 
JNBE cb 


JNC cb 
JNE cb 
JNG cb 
JNGE cb 
JNL cb 
JNLE cb 


JNO cb 
JNP cb 
JNS cb 
JNZ cb 
JO cb 
JP cb 
JPE cb 
JPO cb 
JS cb 
JZ cb 


Clocks’ 


7,noj=3 
7,noj=3 
7,noj=3 
7,noj=3 
7,noj=3 
8,noj=4 
7,noj=3 
7,noj=3 
7,noj=3 
7,noj=3 
7,noj=3 


7,noj=3 


7,noj=3 
7,noj=3 


7,noj=3 


7,noj=3 
7,noj=3 
7,noj=3 
7,noj=3 
7,noj=3 
7,noj=3 


7,noj=3 
7,noj=3 
7,noj=3 
7,noj=3 
7,noj=3 
7,noj=3 
7,noj=3 
7,noj=3 
7,noj=3 
7,noj=3 


Description 


Jump short if above (CF=0 and ZF=0) 

Jump short if above or equal (CF =0) 

Jump short if below (CF=1) 

Jump short if below or equal (CF=1 or ZF=1) 
Jump short if carry (CF =1) 

Jump short if CX register is zero 

Jump short if equal (ZF =1) 

Jump short if greater (ZF=0 and SF=OF) 
Jump short if greater or equal (SF = OF) 
Jump short if less (SF/=OF) 

Jump short if less or equal (ZF=1 or SF/=OF) 
Jump short if not above (CF=1 or ZF=1) 
Jump short if not above/equal (CF = 1) 

Jump short if not below (CF =0) 

Jump short if not below/equal (CF=0 and 
ZF=0) 

Jump short if not carry (CF=0) 

Jump short if not equal (ZF =0) | 
Jump short if not greater (ZF=1 or SF/=OF) 
Jump short if not greater/equal (SF/=OF) 
Jump short if not less (SF =OF) : 

Jump short if not less/equal (ZF=0 and 
SF=OF) 

Jump short if not overflow (OF =0) 

Jump short if not parity (PF =0) 

Jump short if not sign (SF=0) 

Jump short if not zero (ZF=0) 

Jump short if overflow (OF=1) 

Jump short if parity (PF =1) 

Jump short if parity even (PF=1) 

Jump short if parity odd (PF =0) 

Jump short if sign (SF =1) 

Jump short if zero (ZF=1) 


“When a jump is taken, add one clock for every byte of the next instruction executed. 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 


Conditional jumps (except for JCXZ, 
explained below) test the flags, which 
presumably have been set in some meaning- 
ful way by a previous instruction. The condi- 
tions for each mnemonic are given in 
parentheses after each description above. The 
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terms “less”? and “‘greater’’ are used for 
comparing signed integers; ‘‘above’’ and 
“below” are used for unsigned integers. 


If the given condition is true, then a short 
jump is made to the label provided as the 
operand. Instruction encoding is most efficient 
when the target for the conditional jump ts in 
the current code segment and within — 128 to 
+127 bytes of the first byte of the next 
instruction. Alternatively, the opposite sense 
(e.g., JNZ has opposite sense to that of JZ) 
of the conditional jump can skip around an 
unconditional jump to the destination. 


This range is necessary for the assembler to 
construct a one-byte signed displacement from 
the end of the current instruction. If the label 
is out-of-range, or if the label is a FAR label, 
then you must perform a jump with the 
opposite condition around an unconditional 
jump to the non-short label. 


Because there are, in many instances, several 
ways to interpret a particular state of the 
flags, ASM286 provides more than one 
mnemonic for most of the conditional jump 
opcodes. For example, consider that a 
programmer who has just compared a 
character to another in AL might wish to 
jump if the two were equal (JE), while 
another programmer who had just ANDed 
AX with a bit field mask would prefer to 
consider only whether the result was zero or 
not (he would use JZ, a synonym for JE). 


INSTRUCTION SET 


JCXZ differs from the other conditional 
jumps in that it actually tests the contents of 
the CX register for zero, rather than interro- 
gating the flags. This instruction is useful 
following a conditionally repeated string 
operation (REPE SCASB, for example) or a 
conditional loop instruction (such as 
LOOPNE TARGETLABEL). | These 
instructions implicitly use a limiting count in 
the CX register. Looping (repeating) ends 
when either the CX register goes to zero or 
the condition specified in the instruction (flags 
indicating equals in both of the above cases) 
occurs. JCXZ is useful when the termina- 
tions must be handled differently. 


PROTECTED MODE EXCEPTIONS 


#GP(0) if the offset jumped to is beyond the 
limits of the code segment. 


REAL ADDRESS MODE EXCEPTIONS 
None . 


THE iAPX 286 INSTRUCTION SET 


JMP—Jump 


Opcode Instruction Clocks’ 
EB 
EA 
E9 
EA 
EA 
EA 
FF 
FF 


cb JMP 
JMP 
JMP 
JMP 
JMP 
JMP 
JMP 


JMP 


cb 7 

cd 180 
CW 7 

cd 
cd 
cd 
ew 
ed 


38 
175 


41 
178 
183 


FF 
FF 
FF 


JMP 
JMP 
JMP 


ed 
ed 
ed 


11,0m=23 


7,mem=11 
15,om=26 


Description 


Jump short 
Jump to task gate 
_ Jump near , 
Jump far (4-byte immediate address) 
Jump to call gate, same privilege 
Jump via Task State Segment 
Jump near to EA word (absolute offset) 
Jump far (4-byte effective address in memory 
doubleword) Oo | 
Jump to call gate, same privilege 
Jump via Task State Segment 
Jump to task gate 


“Add one clock for every byte of the next instruction executed. 


FLAGS MODIFIED 


All if a task switch takes place; none if no 
task switch occurs. 


FLAGS UNDEFINED 
None 


OPERATION 


The JMP instruction transfers program 
control to a different instruction stream 
without recording any return information. . 


For inter-segment jumps, the destination can 
be a code segment, a call gate, a task gate, or 
a Task State Segment. The latter two desti- 


nations cause.a complete task switch to take 


place. 


Control transfers within a segment use the 
JMP cw or JMP cb forms. The operand is a 
relative offset added modulo 65536 to the 
offset of the instruction that follows the JMP. 
The result is the new value of IP; the value of 
CS is unchanged. The byte operand is sign- 


extended before it is added; it can therefore _ 
be used to address labels within 128 bytes in 


either direction from the next instruction. 
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Indirect jumps within a segment use the JMP 
ew form. The contents of the register or 
memory operand is an absolute offset, which 
becomes the new value of IP. Again, CS is 
unchanged. ~ 3 


Inter-segment jumps in real address mode 
simply set IP to the offset part of the long 
pointer and set CS to the selector part of the 
pointer. 


In protected mode, inter-segment jumps cause 


the iAPX 286 to consult the descriptor 


addressed by the selector part of the long 
pointer. The AR byte of the descriptor deter- 
mines the type of the destination. (See table 


-B-3 for possible values of the AR byte.) 
Following are the possible destinations: 


1. Code segment—The addressability and 
visibility of the destination are verified, 
and CS and IP are loaded with the desti- 
nation pointer values.. 


2. Call gate—The offset part of the desti- 
nation pointer is ignored. After checking 
for validity, the processor jumps to the 

location stored in the call gate descriptor. 
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3. Task gate—The current task’s state is 4. TSS—The current task is suspended. and 
saved in its Task State Segment (TSS), the new task is initiated as in 3 above 
and the TSS named in the task gate is except that there is no intervening gate. 


used to load a new context. The outgoing 

task is marked not busy, the new TSS is 

marked busy, and execution resumes at a 

the point at which the new task was last Following is the list of checks and actions 


- suspended. —_ taken for long jumps in protected mode: 
JUMP FAR: 


‘If indirect then check access of EA doubleword #GP(0) or #SS(0) if limit violation 
Destination selector is not null else #GP(0) 

Destination selector index is within its descriptor table limits else #GP (selector) 
Examine AR byte of destination selector for legal values: 


JUMP CONFORMING CODE SEGMENT: 
Descriptor DPL must be = CPL else #GP (selector) 
Segment must be PRESENT else #NP (selector) 
IP must be in code segment limit else #GP(0) 
Load CS:IP from destination pointer 
Load CS-cache with new segment descriptor 


JUMP NONCONFORMING CODE SEGMENT: 
RPL of destination selector must be < CPL else #GP (selector) 
Descriptor DPL must = CPL else #GP (selector) 
Segment must be PRESENT else #NP (selector) 
IP must be in code segment limit else #GP(0) 
Load CS:IP from destination pointer 
Load CS-cache with new segment descriptor 
Set RPL field of CS register to CPL 


JUMP TO CALL GATE: 

Descriptor DPL must be => CPL else #GP (gate selector) 

Descriptor DPL must be > gate selector RPL else #GP (gate selector) 

Gate must be PRESENT else #NP (gate selector) | 

Examine selector to code segment given in call gate descriptor: 
Selector must not be null else #GP(0) 
Selector must be within its descriptor table limits else #GP (CS selector) 
Descriptor AR byte must indicate code segment else #GP (CS selector) _ 
If non-conforming, code segment descriptor DPL must = CPL else #GP (CS selector) 
If conforming, then code segment descriptor DPL must be < CPL else #GP (CS selector) 
Code Segment must be PRESENT else #NP (CS selector) 
IP must be in code segment limit else #GP(0) 
Load CS:IP from call gate 

Load CS-cache with new code segment 

Set RPL of CS to CPL 


“JUMP TASK GATE: 

Gate descriptor DPL must be = CPL else #GP (gate selector) 

Gate descriptor DPL must be > gate selector RPL else #GP (gate selector) 

Task Gate must be PRESENT else #NP (gate selector) 7 

_ Examine selector:to TSS, given in Task Gate descriptor: | : 

Must specify global in the local/global bit else #GP (TSS selector) 
Index must be within GDT limits else #GP (TSS selector) 
Descriptor AR byte must specify available TSS (bottom bits 00001) else #GP ee selector) 
Task State Segment must be PRESENT else #NP (TSS selector) 
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SWITCH_TASKS without nesting to TSS 
IP must be in code segment limit else #GP(0) 


JUMP TASK STATE SEGMENT: 
TSS DPL must be = CPL else #GP (TSS selector) 
TSS DPL must be = TSS selector RPL else #GP (TSS selector) 
Descriptor AR byte must specify available TSS (bottom bits 00001) else #GP (TSS selector) 
Task State Segment must be PRESENT else #NP (TSS selector) 
SWITCH_TASKS with nesting to TS. 
IP must be in code segment limit else #GP(0) 


Else GP (selector) 


PROTECTED MODE EXCEPTIONS REAL ADDRESS MODE EXCEPTIONS 
For NEAR jumps, #GP(0) if the destination #UD if indirect inter-segment jump operand 
offset is beyond the limits of the current code is a register. 


segment. For FAR jumps, #GP, #NP, #SS, 
and #TS, as indicated above. #UD if indirect 
inter-segment jump operand is a register. 
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LAHF—Load Flags into AH Register 


Instruction Clocks 


~ LAHF D) 


Description 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None — 
OPERATION 


The low byte of the flags word is transferred 
to AH. The bits, from MSB to LSB, are as 
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Load: AH = flags SF ZF xx AF xx PF xx CF 


follows: sign, zero, indeterminate, auxiliary 
carry, indeterminate, parity, indeterminate, 
and carry. See figure 3-5. 

PROTECTED MODE EXCEPTIONS _ . 

None 


REAL ADDRESS MODE EXCEPTIONS 
None 
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LAR—Load Access Rights Byte 


Opcode Instruction Clocks 


OF 02 /r LAR rw,ew 


FLAGS MODIFIED 
Zero 


FLAGS UNDEFINED 
None 


OPERATION 


LAR expects the second operand (memory or 
register word) to contain a selector. If the 
associated descriptor is visible at the current 
privilege level and at the selector RPL, then 
the access rights byte of the descriptor is 
loaded into the high byte of the first (regis- 
ter) operand, and the low byte is set to zero. 
The zero flag is set if the loading was 
performed (i.e., the selector index is within the 


14,mem=16 


Description 


Load: high(rw)= Access Rights byte,selector 
ew 


table limit, descriptor DPL = CPL, and 
descriptor DPL = selector RPL); the zero 
flag is cleared otherwise. 


Selector operands cannot cause protection 
exceptions. 


PROTECTED MODE EXCEPTIONS 


#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. | 


REAL ADDRESS MODE EXCEPTION 
INTERRUPT 6; LAR is unrecognized in 
Real Address mode. | 
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LDS/LES—toad Doubleword Pointer 


Instruction ' Clocks 


~LDS rw,ed 7,pm=21 
LES rw,ed 7,pm=21 


Description 


Load EA doubleword into DS and word 


register 
Load EA doubleword into ES and word 
register 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 


The four-byte pointer at the memory location 
indicated by the second operand is loaded into 
a segment register and a word register. The 
first word of the pointer (the offset) is loaded 
into the register indicated by the first operand. 
The last word of the pointer (the selector) is 
loaded into the segment register (DS or ES) 
given by the instruction opcode. 


- If selector is non-null then: 


When the segment register is loaded, its 
associated cache is also loaded. The data for 
the cache is obtained from the descriptor table 
entry for the selector given. 


A null selector (values 0000-0003) can be 
loaded into DS or ES without a protection 
exception..Any memory reference using such 
a segment register value will cause a #GP(0) 
exception but will not result in a memory 
reference. The saved segment register value 
will be null. 7 


Following is a list.of checks and actions taken 
when loading the DS or ES registers: 


Selector index must be within its descriptor table limits else #GP (selector) 


Examine descriptor AR byte: 


Data segment or readable non-conforming code segment 


Descriptor DPL => CPL else #GP (selector) 


Descriptor DPL = selector RPL else #GP (selector) 


Readable conforming code segment 
No DPL, RPL, or CPL checks 


Else #GP (selector) 
Segment must be present else #NP (selector) 
Load registers from operand 
Load segment register descriptor cache 
If selector is null then: 


Load registers from operand 
Mark segment register cache as invalid 
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PROTECTED MODE EXCEPTIONS 

#GP or #NP, as indicated in the list above. 
#GP(0) or #SS(0) if operand lies outside 
segment limit. 4UD if the source operand is 
a register. 
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REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for operand at offset OFFFFH 
or OFFFDH. #UD if the source operand is a 
register. 
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LEA—Load Effective Address Offset _ 


Opcode Instruction Clocks Description 

8D /r LEA rw,m 3 Calculate EA offset given by m, place in rw 
FLAGS MODIFIED second operand is placed in the first (regis- 
None ter) operand. | 
FLAGS UNDEFINED PROTECTED MODE EXCEPTIONS 
None #UD if second operand is a register. 
OPERATION REAL ADDRESS MODE EXCEPTIONS 
The effective address (offset part) of the #UD if second operand is a register. 
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LEAVE—High Level Procedure Exit 


Opcode Instruction 


Clocks 


C9 LEAVE 5 
FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 

LEAVE is the complementary operation to 
ENTER; it reverses the effects of that 
instruction. By copying BP to SP, LEAVE 
releases the stack space used by a procedure 


for its dynamics and display. The old frame 


pointer is now popped into BP, restoring the 


Description 


Set SP to BP, then POP BP 


caller’s frame, and a- subsequent RET nn 
instruction will follow the back-link and 
remove any arguments pushed on the stack 
for the exiting procedure. 


PROTECTED MODE EXCEPTIONS 


#SS(0) if BP does not point to a location 
within the current stack segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. | 


THE iAPX 286 INSTRUCTION SET 


LGDT /LIDT —Load Global/Interrupt 
Descriptor Table Register 


Clocks 


Opcode Instruction 


LGDT m 
LIDT m 


OF 01 
OF 01 


/2 
/3 


11 
12 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 

The Global or the Interrupt Descriptor Table 
Register is loaded from the six bytes of 
memory pointed to by the effective address 
operand (see figure 10.3). The LIMIT field 
of the descriptor table register loads from the 
first word; the next three bytes go to the 
BASE field of the register; the last byte is 
ignored. 


LGDT and LIDT appear in operating systems 
software; they are not used in application 
programs. These are the only instructions that 
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Description 


Load m into Global Descriptor Table reg’ 
Load m into Interrupt Descriptor Table reg 


directly load a physical memory address in 
iAPX 286 protected mode. 


PROTECTED MODE EXCEPTIONS : 
#GP(0) if the current privilege level is not 0. 


#UD if source operand is a register. 


#GP(0) for an illegal memory aoe aut effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an uneee? address in the SS 
segment. : . 


REAL ADDRESS MODE EXCEPTIONS 

These instructions are valid in Real Address 
mode to allow the power-up anes for 
Protected mode. 


Interrupt 13 for a word operand at offset 
OFFFFH. #UD if source operand is a 
register. 
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LLDT—Load Local Descriptor Table Register 


Opcode Instruction Clocks 


OF 00 /2 


LLDT ew 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 


The word operand (memory or register) to 
LLDT should contain a selector pointing to 
the Global Descriptor Table. The GDT entry 
should be a Local Descriptor Table. If so, then 
the Local Descriptor Table Register is loaded 
from the entry. The descriptor cache entries 
for DS, ES, SS, and CS are not affected. The 
LDT field in the TSS is not changed. 


The selector operand is allowed to be zero. In 
that case, the Local Descriptor Table Regis- 
ter is marked invalid. All descriptor refer- 


17,mem=19 
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Description 


_ Load selector ew into Local Descriptor Table 
register 


ences (except by LAR, VERR, VERW or 
LSL instructions) will cause a #GP fault. 


LLDT appears in operating systems software; 
it does not appear in applications programs. 


PROTECTED MODE EXCEPTIONS 


#GP(0) if the current privilege level is not 0. 
#GP (selector) if the selector operand does not 
point into the Global Descriptor Table, or if 
the entry in the GDT is not a Local Descrip- 
tor Table. #NP (selector) if LDT descriptor 
is not present. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 6; LLDT is not recognized in Real 
Address Mode. 
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LMSW —Load Machine Status Word 


Opcode Instruction - Clocks 


OF 01 


/6 


LMSW ew _ 3,mem=6 
FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None | 


OPERATION 


The Machine Status Word is loaded from the 
source operand. This instruction may be used 
to switch to protected mode. If so, then it 
must be followed by an intra-segment jump 
to flush the instruction queue. LMSW will not 
switch back to Real Address Mode. 
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Description 


Load EA word into Machine Status Word 


LMSW appears only in operating systems 
software. It does not appear in aD OREAHONS 
programs. 


PROTECTED MODE EXCEPTIONS ; 

#GP(0) if the current privilege level is not 0. 
#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for. a word ‘operand at offset 
OFFFFH. | ee 
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LOCK—Assert BUS LOCK Signal 


Instruction Clocks 


LOCK —_ 0 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 

LOCK is a prefix that will cause the BUS 
LOCK signal of the iAPX 286 to be asserted 
for the duration of the instruction. that it 
prefixes. In a multiprocessor environment, this 
signal should be used to ensure that the iAPX 
286 has exclusive use of any shared memory 
while BUS LOCK is asserted. The read- 
modify-write sequence typically used to 
implement TEST-AND-SET in the 1:APX 286 
is the XCHG instruction. 
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Description 


Assert BUSLOCK | a 
instruction 


for the next 


The 80286 LOCK prefix activates the lock 
signal for the following instructions: MOVS, 
INS, and OUTS. XCHG always asserts BUS 
LOCK regardless of the presence or absence 
of the LOCK prefix. 


PROTECTED MODE EXCEPTIONS . 
#GP(0) if the current privilege level is bigger 
(less jpravaleuee) than the I a O ee level. 


Other exceptions may be generated by the 
subsequent (locked ) instruction. ae 


REAL ADDRESS MODE EXCEPTIONS | 


None. Exceptions may still be generated by 
the subsequent (locked) instruction. 
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LODS/LODSB/LODSW—Load String Operand 


Instruction 


LODS mb. 


LODS mw 
LODSB : 
LODSW 


Description 


Load byte [SI] into AL 
Load byte [SI] into AL 

Load byte DS:[SI] into AL 
Load byte DS:[SI] into AL 


FLAGS MODIFIED — 
None | 


FLAGS UNDEFINED 
None 


OPERATION | 


LODS loads the AL or AX register with the 


memory byte or word at SI. After the trans- 
fer is made, SI is automatically advanced. If 
the direction flag is 0 (CLD was executed), 
SI increments; if the direction flag is 1 (STD 
was executed), SI decrements. SI increments 


or decrements by 1 if a byte was moved; by 2 
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if a word was moved. 


PROTECTED MODE EXCEPTIONS 

#GP(0) for an illegal memory operand effec- 
tive address in the CS; DS, or ES segments, 
#SS(0) for an illegal address in the SS 
segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. . | 
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LOOP /LOOPcond—Loop Control with CX Counter. 


Opcode Instruction Clocks 


E2 cb 
E1 cb 
EQ cb 


LOOP cb 
LOOPE cb 
LOOPNE cb 


EO cb 
E1 cb 


LOOPNZ cb 
LOOPZ cb 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED | 
None 


OPERATION 


LOOP first decrements the CX register 
without changing any of the flags. Then, 
conditions are checked as given in the 
description above for the form of LOOP being 
used. If the conditions are met, then an intra- 
segment jump is made. The destination to 
LOOP is in the range from 126 (decimal) 
bytes before the instruction to 127 bytes 
beyond the instruction. 
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Description 


DEC CX; jump short if CX+0 

DEC CX; jump short if CX#0 and equal (ZF = 1) 
DEC CX; jump short if CX+0 and not equal 
(ZF=0) 

DEC CX; jump short if CX #0 and ZF=0 

DEC CX; jump short if CX #0 and zero (ZF=1) 


The LOOP instructions are intended to 
provide iteration control and to combine loop 
index management with conditional branch- 
ing. To use the LOOP instruction you load an 
unsigned iteration count into CX, then code 
the LOOP at the end of a series of instruc- 
tions to be iterated. The destination of LOOP 
is a label that points to the beginning of the 
iteration. : 


PROTECTED MODE EXCEPTIONS _ 

#GP(0) if the offset jumped to is beyond the 
limits of the current code segment. 

REAL ADDRESS MODE EXCEPTIONS 

None | | 
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LSL—Load Segment Limit 


Opcode Instruction * Clocks 


OF 03 /r LSL rw,ew 


FLAGS MODIFIED 
Zero 

FLAGS UNDEFINED 
None ‘e  # 


OPERATION 


If the descriptor iensied by: ihe selector in the 
second (memory or register) operand is visible 
at the CPL, a word that consists of the limit 
field of the descriptor is loaded into the left 
operand, which must be a register. The value 
is the limit field for that segment. The zero 
flag is set if the loading was performed (that 
is, if the selector is non-null, the selector index 
‘is within the descriptor table limits, the 
descriptor is a non-conforming segment 
descriptor with DPL = CPL, and the 
descriptor DPL => selector RPL); the zero 
flag is cleared otherwise. 


14,mem=16 
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Description 


Load: rw = Segment Limit, selector ew 


The LSL instruction returns only the limit 
field of segments, task state segments, and 


‘local descriptor tables..The interpretation of 


the limit value depends on the type of 
segment. | 


The selector operand’s value cannot result in 
a protection exception. 


PROTECTED MODE EXCEPTIONS 


#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 6; LSL is not ieee in Real 
Address mode. 3 
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LTR—Load Task Register 


Opcode Instruction Clocks Description 


OF 00 /3 LTR ew 17,mem=19 Load EA word into Task Register 
FLAGS MODIFIED 7 c PROTECTED MODE EXCEPTIONS 
None #GP for an illegal memory operand effective 


address in the CS, DS, or ES segments; #SS 


FLAGS UNDEFINED for an illegal address in the SS segment. 


None 

OPERATION a #GP(0) if the current privilege level is not 0. 
The Task Register is loaded from the source #GP (selector) if the object named by the 
register or memory location given by the source selector is not a TSS or is already busy. 
operand. The loaded TSS is marked busy. A #NP (selector) if the TSS is marked not 
task switch operation does not occur. present. 

LTR appears only in operating systems REAL ADDRESS MODE EXCEPTIONS 

software. It is not used in applications Interrupt 6; LTR is not recognized in Real 
programs. | | . Address mode. 
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MOV —Move Data 


Opcode Instruction Clocks 


MOV 
MOV 
MOV 
MOV 
MOV 
MOV 
MOV 
MOV 
MOV 
MOV 
MOV 
MOV 
MOV 
MOV 
MOV 
MOV 
MOV 
MOV 
MOV 
MOV 
MOV 
MOV 


88 
89 
8A 
8B 
8C 
~—8C 
8C 
8C 
8E 
8E 
8E 
8E 
8E 
8E 
AO 
Al 
A2 
A3 
BO+ 
B8+ 
C6 
C7 


eb,rb 
ew,rw | 
rb,eb 
rw,ew 
ew,ES 
ew,CS 
ew,SS 
ew,DS | 
ES,mw 
ES,rw 
SS,mw 
SS,rw 
DS,mw 
DS, rw 
AL,xb 
AX,Xw 
Xb,AL 
xw,AX 
rb,db 
rw,dw 
eb,db 
ew,dw 


2,mem=3 
2,mem=3 
2,nem=5 
2,mem=5 
2,mem=3 
2,mem=3 
2,mem=3 
2,mem=3 
5,pm=19 
2,pm=17 
5,pm=19 
2,opm=17 
5,pm=19 
2,pm=17 


MONMONMONWOoWAKA 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 


The second operand is copied to the first 
operand. 


If the destination operand is a segment regis- 
ter (DS, ES, or SS), then the associated 
segment register cache is also loaded. The 
data for the cache is obtained from the 
descriptor table entry for the selector given. 


If SS is loaded: 
If selector is null then #GP(0) 


Description 


Move byte register into EA byte 

Move word register into EA word 
Move EA byte into byte register 

Move EA word into word register 
Move ES into EA word 

Move CS into EA word 

Move SS into EA word 

Move DS into EA word 

Move memory word into ES 

Move word register into ES 

Move memory word into SS 

Move word register into SS 

Move memory word into DS 

Move word register into DS | 

Move byte variable (offset dw) into AL 
Move word variable (offset dw) into AX 
Move AL into byte variable (offset dw) 
Move AX into word register (offset dw) 
Move immediate byte into byte register 
Move immediate word into word register 
Move immediate byte into EA byte 
Move immediate word into EA word 


A null selector (values 0000-0003) can be 
loaded into DS and ES registers without 
causing a protection exception. Any use of a 
segment register with a null selector to 
address memory will cause #GP(0) excep- 
tion. No memory reference will occur. 


Any move into SS will inhibit all interrupts 
until after the execution of the next 
instruction. 


Following is a listing of the protected-mode | 
checks and actions taken in the loading of a 
segment register: 


Selector index must be within its descriptor table limits else #GP (selector) 
Selector’s RPL must equal CPL else #GP (selector) 
AR byte must indicate a writable data segment else #GP (selector) 


DPL in the AR byte must equal CPL else #GP (selector) 
Segment must be marked PRESENT else #SS (selector) 


Load SS with selector 
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Load SS cache with descriptor 
If ES or DS is loaded with non-null selector 


Selector index must be within its descriptor table limits else #GP (selector) 
AR byte must indicate data or readable code segment else #GP (selector) 
If data or non-conforming code, then both the RPL and the 

CPL must be less than or equal to DPL in AR byte else #GP (selector) 


Segment must be marked PRESENT else #NP (selector) 


Load segment register with selector 

Load segment register cache with descriptor 

If ES or DS is loaded with a null selector: 
Load segment register with selector 
Clear descriptor valid bit 


PROTECTED MODE EXCEPTIONS 


If a segment register is being loaded, #GP, 
#SS, and #NP, as described in the listing 
above. | 


Otherwise, #GP(0) if the destination is in a 
non-writable segment. #GP(0O) for an illegal 
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memory operand effective address in the CS, 
DS, or ES segments; #SS(0) for an illegal 
address in the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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MOVS/MOVSB/ MOVSW—wove Data from String 
to String 


Instruction 


MOVS mb,mb 
MOVS mw,mw 
MOVSB 
MOVSW 


Description 


Move byte [SI] to ES:[DI] 
Move word [SI] to ES:[D]] 
Move byte DS:[S!] to ES:[DI] 
Move word DS:[SI!] to ES:[D]] 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 


MOVS copies the byte or word at [SI ] to the 
byte or word at ES:[DI]. The destination 
operand must be addressable from the ES 
register; no segment override is possible. A 
segment override may be used for the source 
operand. 


_ After the data movement is made, both SI and 
DI are automatically advanced. If the direc- 
tion flag is 0 (CLD was executed), the regis- 
ters increment; if the direction flag is 1 (STD 
was executed), the registers decrement. The 
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registers increment or decrement by | if a 
byte was moved; by 2 if a word was moved. 


MOVS can be preceded by the REP prefix 
for block movement of CX bytes or words. 
Refer to the REP instruction for details of this 
operation. | | | 


PROTECTED MODE EXCEPTIONS 

#GP(0) if the destination is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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MUL—uvunsigned Multiplication of AL or AX 


Instruction Clocks Description 

MUL eb 13,mem=16 Unsigned multiply (AX = AL X EA byte) 

MUL ew — 21,mem=24 Unsigned multiply (DXAX = AX X EA word) 
FLAGS MODIFIED i : DX:AX. DX contains the high order 16 bits 
Overflow, carry | of the product. Carry and overflow are set to 


0 if DX is 0; they are set to 1 otherwise. 
FLAGS UNDEFINED 


Sign, zero, auxiliary carry, parity PROTECTED MODE EXCEPTIONS 

OPERATION a | #GP(0) for an illegal memory operand effec- 
If MUL has a byte operand, then the byte is tive address in the CS, DS, or ES segments; 
multiplied by AL, and the result is left in AX. #SS(0) for an illegal address in the SS 


Carry and overflow are set to 0 if AH is 0; segment. 


they are set to | otherwise. | 
REAL ADDRESS MODE EXCEPTIONS 


If MUL has a word operand, then the word Interrupt 13 for a word operand at offset 
is multiplied by AX, and the result is left in OFFFFH. 
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NEG—Two’s Complement Negation 


Instruction Clocks Description 


NEG eb ©  2,mem=7 Two’s complement negate EA byte 
NEG ew 2,mem=7 Two’s complement negate EA word 


FLAGS MODIFIED . - The carry flag is set to 1 except when the 
Overflow, sign, ZerO, auxiliary carry, parity, input operand is zero, in which case the carry 
carry) flag is cleared to 0. 


PROTECTED MODE EXCEPTIONS 


FLAGS UNDEFINED -_— __ 
#GP(0) if the result is in a non-writable 


mous segment. #GP(0) for an illegal memory 
. operand effective address in the CS, DS, or 

QE ERATOR ES segments; #SS(0) for an illegal address i in 

The two’s complement of the register or the SS segment. | 

memory operand replaces the old operand 

value. Likewise, the operand is subtracted REAL ADDRESS MODE EXCEPTIONS 

from zero, and the result is placed in the Interrupt 13 for a word operand at: offset 

operand. : OFFFFH. : 
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NOP —No OPERATION 


Opcode Instruction Clocks Description 

90 NOP 3 ‘No OPERATION 
FLAGS MODIFIED filler instruction that takes up space but 
None affects none of the machine context except IP. 
FLAGS UNDEFINED PROTECTED MODE EXCEPTIONS 
None’ | None 
OPERATION REAL ADDRESS MODE EXCEPTIONS 
Performs no operation. NOP is a one-byte None 
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NOT —One’s Complement Negation 


Instruction Clocks 


NOT eb ~ 2mem=7 


Description 


Reverse each bit of EA byte 


NOT ew _  2men=7 


FLAGS MODIFIED 
None © 


FLAGS UNDEFINED 
None 


OPERATION 


The operand is inverted; that is, every 1 
becomes a 0 and vice versa. 
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Reverse each bit of EA word 


PROTECTED MODE EXCEPTIONS 


#GP(0) if the result is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 


the SS segment. 
REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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OR—Logical Inclusive OR 


Opcode Instruction Clocks 


eb,rb 
ew, rw 
rb,eb 
rw,ew 
-AL,db 
AX,dw 3 
eb,db 3,mem=7 
ew,dw 3,mem=7 


2,mem=7 
2,mem=7 
2,mem=7 


| 2mem=7 


FLAGS MODIFIED | 
Overflow =0, sign, zero, parity, carry =0 


FLAGS UNDEFINED 
Auxiliary carry 


OPERATION 

This instruction computes the inclusive OR of 
the two operands. Each bit of the result is 0 
if both corresponding bits of the operands are 
0; each bit is 1 otherwise. The result is placed 
in the first operand. 
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Description 


Logical-OR byte register into EA byte 
Logical-OR word register into EA word | 
Logical-OR EA byte into byte register 
Logical-OR EA word into word register 
Logical-OR immediate byte into AL 
Logical-OR immediate word into AX 
Logical-OR immediate byte into EA byte 
Logical-OR immediate word into EA word 


PROTECTED MODE EXCEPTIONS 

#GP(0) if the result is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. | 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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OUT — Output to Port 


Instruction 


OUT db,AL 
OUT db,AXx 
OUT DX,AL 
OUT DX,AX 


Description 


Output byte AL to immediate port number db | 
Output word AX to immediate port number db 
Output byte AL to port number DX 

Output word AX to port number DX 


FLAGS MODIFIED — 
None 


FLAGS UNDEFINED 

None 

OPERATION | | 

OUT transfers a data byte or data word from 
the register (AL or AX) given as the second 
operand to the output port numbered by the 
first operand. You can output to any port 
from 0-65535 by placing the port number in 
the DX register then using an OUT instruc- 
tion with DX as the first operand. If the 
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instruction contains an 8-bit port ID, that 
value is zero-extended to 16. bits. 


Intel reserves I/O port addresses OOF8H 
through OOFFH; these addresses should not 
be used. 


PROTECTED MODE EXCEPTIONS 


#GP(0) if the current privilege level is bigger 
(has less privilege) than IOPL, which is the. 
privilege level found in the flags register. 


REAL ADDRESS MODE EXCEPTIONS 
None 
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OUTS/OUTSB/OUTSW — Output String to Port : 


Opcode Instruction 


6E OUTS DX,eb 


6F OUTS DX,ew 
6E OUTSB 
6F OUTSW 


Description 


Output byte [SI] to port number DX 
Output word [Sl] to port number DX 
Output byte DS:[SI] to port number DX 
Output word DS:[SI] to port number DX 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 7 

OUTS transfers data from the memory byte 
or word at SI to the output port numbered by 
the DX register. | 


OUTS does not allow the specification of the 
port number as an immediate value. The port 
must be addressed through the DX register. 


After the transfer is made, SI is automati- 
cally advanced. If the direction flag is 0 (CLD 
was executed), SI increments; if the direction 
flag is 1 (STD was executed), SI decrements. 
SI increments or decrements by | if a byte 
was moved; by 2 if a word was moved. 


OUTS can be preceded by the REP prefix for 
block output of CX bytes or words. Refer to 
the REP instruction for details of this 
operation. 


Intel reserves I/O port addresses 0OF8H 
through OOFFH; these addresses should not 
be used. a 


NOTE 


Not all output devices can handle the rate 
at which this instruction transfers data. 


PROTECTED MODE EXCEPTIONS 

#GP(0) if CPL = IOPL. #GP(0) for an 
illegal memory operand effective address in 
the CS, DS, or ES segments; #SS(0) for an 
illegal address in the SS segment. | | 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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POP—Pop a Word from the Stack 


Opcode instruction Clocks | 


1F 
07 


17 
8F 


POP DS. 

. POP ES 
POP SS_. 
POP mw. 
POP rw... 5: 


~— 5,pm=20 
5,pm=20 
5,om=20 
Se 


/0 
58+ rw 


FLAGS MODIFIED | 
None 


FLAGS UNDEFINED 
None. 


OPERATION | 

The word on the top of the i1APX 286 stack, 
addressed by SS:SP, replaces the previous 
contents of the memory, register, or segment 
register operand. The stack pointer SP is 
incremented by 2 to point to the new top of 
stack. 


If the destination operand is another segment 
register (DS, ES, or SS), the value popped 
must be a selector. In protected mode, loading 
the selector initiates automatic loading of the 
descriptor information associated with that 
selector into the hidden part of the segment 
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Description 


Pop top of stack into DS: 

Pop top of stack into ES 

Pop top of stack into SS 

Pop top of stack into memory word 
Pop top of stack into word register . 


register; loading also initiates validation of 
both the selector and the descriptor 
information. 


A null value (0000-0003) may be loaded into 
the DS or ES register without causing a 
protection exception. Attempts to reference 
memory using a segment register with a null 
value will cause #GP(0) exception. No 
memory reference will occur. The saved value 
of the segment register will be null. 


A POP SS instruction will inhibit all inter- 
rupts, including NMI, until after the execu- 
tion of ‘the next instruction. This’ permits a 
POP SP instruction to be performed first. 


Following is a listing of the protected- mode 
checks and.actions taken in the loading of a 
segment register: 
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If SS is loaded: 
If selector is null then #GP(0) 
Selector index must be within its descriptor table limits else #GP (selector) 
Selector’s RPL must equal CPL else #GP (selector) 
AR byte must indicate a writable data segment else #GP (selector) 
DPL in the AR byte must equal CPL else #GP (selector) 
Segment must be marked PRESENT else #SS (selector) 


Load SS register with selector 
Load SS cache with descriptor 


if ES or DS is loaded with non-null selector: 


AR byte must indicate data or readable code segment else #GP (selector) 
lf data or non-conforming code, then both the RPL and the 
CPL must be less than or equal to DPL in AR byte else #GP (selector) 


Segment must be marked PRESENT else #NP (selector) 


Load segment register with selector 

Load segment register cache with descriptor 
If ES or DS is loaded with a null selector: 

Load segment register with selector 

Clear valid bit in cache 


PROTECTED MODE EXCEPTIONS 


If a segment register is being loaded, #GP, 
#SS, and #NP, as described in the listing 
above. 


Otherwise, #SS(0) if the current top of stack 
is not within the stack segment. 
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#GP(0) if the destination is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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POPA—Pop All General Registers 


Opcode Instruction Clocks = : Description 

61 POPA 19 Pop in order: DI, Sl, BP, SP, BX. DX, CX, AX ot 
FLAGS MODIFIED ne the general registers to their values before 
None | PUSHA was executed, ‘The first register 


~ popped is DI. 
FLAGS UNDEFINED , = ke 
None PROTECTED MODE EXCEPTIONS 


#SS(0) if the starting or ending stack address 


On eaOn is not within the stack segment. 

POPA pops the eight general registers given 

in the description above, except that the SP REAL ADDRESS MODE EXCEPTIONS = | 
value is discarded instead of loaded into SP. Interrupt 13 for a word operand at offset 
POPA reverses a previous PUSHA, restoring OF FFFH. | 
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POPF—Pop from Stack into the Flags Register 


Opcode Instruction Clocks 


9D POPF 5 


FLAGS MODIFIED | 
Entire flags register is popped from stack 


FLAGS UNDEFINED - 
None © 
OPERATION 


The top of the iAPX 286 stack, pointed to by 
SS:SP, is copied into the iAPX 286 flags 
register. The stack pointer SP is incremented 
by 2 to point to the new top of stack. The 
flags, from the top bit (bit 15) to the bottom 
(bit 0), are as follows: undefined, nested task, 
I/O privilege level (2 bits), overflow, direc- 
tion, interrupts enabled, trap, sign, zero, 
undefined, auxiliary carry, undefined, parity, 
undefined, and carry. : 
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Description 


Pop top of stack into flags register 


The I/O privilege level will be altered only 
when executing at privilege level 0. The inter- 
rupt enable flag will be altered only when 
executing at a level at least as privileged as 
the I/O privilege level. (Real Address mode 
is equivalent to privilege level 0.) If you 
execute a POPF instruction with insufficient 
privilege, there will be no exception nor will 
the privileged bits be changed. 


PROTECTED MODE EXCEPTIONS 


#SS(0) if the top of stack is not within the 
stack segment. 


REAL ADDRESS MODE EXCEPTIONS 
Interrupt 13 for a word operand at OFFFFH. 
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PUSH—Push a Word onto the Stack 


Instruction 


Opcode 


06 
0E 
16 
1E 
50+ 
FF 
68 
6A 


PUSH 
“PUSH 
PUSH 
PUSH 
PUSH 
PUSH 
PUSH 
PUSH 


rw 
/6 

dw 
db 


FLAGS MODIFIED 
None | 


FLAGS UNDEFINED — 

None 

OPERATION 7 
The stack pointer SP is decremented by 2, and 


the operand is placed on the new top of stack, 
which is pointed to by SS:SP. 


The iAPX 286 PUSH SP instruction pushes 
the value of SP as it existed before the 
instruction. This differs from the iAPX 86, 
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Description 


Push ES 

Push CS 

Push SS 

Push DS 

Push word register | 
Push memory word 
Push immediate word 


Push immediate sign-extended byte Sp 


which pushes the new (decremented by 2) 
value. 


PROTECTED MODE EXCEPTIONS 


#SS(0) if the new value of SP i is outside the 
stack segment limit. | 


#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 


REAL ADDRESS MODE EXCEPTIONS 


None; the 80286 will shut down if SP = 1— 
due to lack of stack space. 
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PUSHA—Push All General Registers 


Instruction Clocks 


Opcode 


60 PUSHA 17 


FLAGS MODIFIED 
None | 


FLAGS UNDEFINED ~ 
None 


OPERATION 

PUSHA saves the registers noted above on the 
iAPX 286 stack. The stack pointer SP is 
decremented by 16 to hold the 8 word values. 
Since the registers are pushed onto the stack 
in the order in which they were given, they 


B-85 


Description 


Push in order: AX,CX,DX,BX, original 
SP,BP,SI,DI 


will appear in the 16 new stack bytes in the 
reverse order. The last register pushed is DI. 


PROTECTED MODE EXCEPTIONS 


#SS(0) if the starting or ending address is 
outside the stack segment limit. : 


REAL ADDRESS MODE EXCEPTIONS 

The 80286 will shut down if SP = 1, 3, or 5 
before executing PUSHA. If SP = 7, 9, 11, 
13, or 15, exception 13 will occur. = 
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PUSHF —Push Flags Register onto the Stack 


Opcode Instruction Clocks Description 

9C 7 22 PUSHF 3 Push flags register 
FLAGS MODIFIED ~ | nested task, I/O privilege level (2 bits), 
None | | : | overflow, direction, interrupts enabled, trap, 


sign, zero, undefined, auxiliary carry, 


FLAGS UNDEFINED undefined, parity, undefined, and carry. 


None 

2 ; PROTECTED MODE EXCEPTIONS 
OPERATION | are #SS(0) if the new value of SP is outside the 
The stack pointer SP is decremented by 2, and stack segment limit. 7 
the iAPX 286 flags register is copied to the | — 
new top of stack, which is pointed to. by REAL ADDRESS MODE EXCEPTIONS 
SS:SP. The flags, from the top bit (15) to the None; the 80286 will shut down if SP = 1 
bottom bit (0), are as follows: undefined, —due to lack of stack space. - 
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RCL/RCR/ROL/ROR—RPotate Instructions 


Clocks-N* 


Instruction 


RCL 
RCL 
RCL 
RCL 
RCL 
RCL 
RCR 
RCR 
RCR 
RCR 
RCR 
RCR 
ROL 
ROL 
ROL 
ROL 
ROL 
ROL 
ROR 
ROR 
ROR 
ROR 
ROR 
ROR 


eb, 1 
eb,CL 
eb,db 
ew, 1 
ew,CL 
ew,db 
eb, 1 
eb,CL 
eb,db 
ew, 1 
ew,CL 
ew,db 
eb,1 
eb,CL 
eb,db 
ew, 1 
ew,CL 
ew,db 
eb,1 
eb,CL 
eb,db 
ew,1 
ew,CL 
ew,db 


2,mem=7 
5,mem=8 
5,smem=8 
2,mem=7 
5,mem=8 
5,mem=8 
2,mem=7 
5,mem=8 
5,mem=8 
2,mem=7 
5,mem=8 
5,mem=8 
2,mem=7 
5,mem=8 
5,mem=8 
2,mem=7 
5,mem=8 
5,mem=8 
2,mem=7 
5,mem=8 
5,mem=8 
2,mem=7 
5,mem=8 
5,mem=8 


* Add 1 clock to the times shown for each rotate made 


FLAGS MODIFIED 
Overflow (only for single rotates), carry 


FLAGS UNDEFINED 
Overflow for multi-bit rotates 


OPERATION 


Each rotate instruction shifts the bits of the 
register or memory operand given. The left 
rotate instructions shift all of the bits upward, 
except for the top bit, which comes back 
around to the bottom. The right rotate 
instructions do the reverse: the bits shift 
downward, with the bottom bit coming around 
to the top. 


For the RCL and RCR instructions, the carry 
flag is part of the rotated quantity. RCL shifts 
the carry flag into the bottom bit and shifts 
the top bit into the carry flag; RCR shifts the 
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Description 


Rotate 9-bits (CF, EA byte) left once 
Rotate 9-bits (CF, EA byte) left CL times 
Rotate 9-bits (CF, EA byte) left db times 
Rotate 17-bits (CF, EA word) left once 
Rotate 17-bits (CF, EA word) left CL times 
Rotate 17-bits (CF, EA word) left db times 
Rotate 9-bits (CF, EA byte) right once 
Rotate 9-bits (CF, EA byte) right CL times 
Rotate 9-bits (CF, EA byte) right db times 
Rotate 17-bits (CF, EA word) right once 
Rotate 17-bits (CF, EA word) right CL times 
Rotate 17-bits (CF, EA word) right db times 
Rotate 8-bit EA byte left once 

Rotate 8-bit EA byte left CL times 

Rotate 8-bit EA byte left db times 

Rotate 16-bit EA word left once 

Rotate 16-bit EA word left CL times 
Rotate 16-bit EA word left db times 
Rotate 8-bit EA byte right once 

Rotate 8-bit EA byte right CL times 

Rotate 8-bit EA byte right db times 

Rotate 16-bit EA word right once 

Rotate 16-bit EA word right CL times 
Rotate 16-bit EA word right db times 


carry flag into the top bit and shifts the 
bottom bit into the carry flag. For the ROL 
and ROR instructions, the original value of 
the carry flag is not a part of the result; 
nonetheless, the carry flag receives a copy of 
the bit that was shifted from one end to the 
other. 


The rotate is repeated the number of times 
indicated by the second operand, which is 
either an immediate number or the contents 
of the CL register. To reduce the maximum 
execution time, the iAPX 286 does not allow 
rotation counts greater than 31. If a rotation 
count greater than 31 is attempted, only the 
bottom five bits of the rotation are used. The 
iAPX 86 does not mask rotate counts. 


The overflow flag is set only for the single- 
rotate (second operand = 1) forms of the 
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instructions. The OF bit is set to be accurate 
if a shift of length 1 is done. Since it is 
undefined for all other values, including a zero 
shift, it can always be set for the count-of-1 
case regardless of the actual count. For left 
shifts/rotates, the CF bit after the shift is 
XORed with the high-order result bit. For 
right shifts /rotates, the high-order two bits of 
the result are XORed to get OF. | 


PROTECTED MODE EXCEPTIONS i f 
#GP(0) if the result is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 

REAL ADDRESS MODE EXCEPTIONS 

Interrupt 13 for a word operand at offset 
OFFFFH. | 
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REP /REPE/REPNE—Repeat Following String Operation 


Opcode 


F3 REP 
F3 REP 
F3 REP 
F3 REP 

REP 


REP. 


REP 
REP 
REP 
REP 
REP 
REP 
REP 
REP 
REP 
REP 


Instruction 


INS eb,DX 
INS ew,DX 
INSB 

INSW 

MOVS mb,mb 
MOVS mw,mw 
MOVSB 
MOVSW 
OUTS DX,eb 
OUTS DX,ew 
OUTSB 
OUTSW 
STOS mb 
STOS mw 
STOSB 
STOSW 


Clocks’ 


5+4*CX 
5+4*CX 
5+ 4*CX 


—5+4*CX 


5+ 4*CX 
5+4*CX 
5+4*CX 
5+ 4*CX 
5+4*CX 
5+ 4*CX 
5+4*CX 
5+4*CX 
4+3°CX 
4+3*CX 
4+3*CX 
4+3*CX 


5+9*N 
5+9*N 
5+9*N 
5+ 9*N 
5+8*N 
5+ 8*N 
5+ 8*N 
5+ 8*N 
5+9*N 
5+9*N 
5+ 9*N 
5+9*N 
5+ 8*N 
5+ 8*N 
5+ 8*N 
5+ 8*N 


REPE CMPS mb,mb 
REPE CMPS mw,mw 
REPE CMPSB 

REPE CMPSW 

REPE SCAS mb 
REPE SCAS mw 
REPE SCASB 

REPE SCASW: 
REPNE CMPS mb,mb 
REPNE CMPS mw,mw 
REPNE CMPSB 
REPNE CMPSW 
REPNE SCAS mb 
REPNE SCAS mw 
REPNE SCASB 
REPNE SCASW 


* N denotes the number of iterations actually executed. 


FLAGS MODIFIED 
By CMPS and SCAS, none by REP 


FLAGS UNDEFINED 
None 


OPERATION 

REP, REPE, and REPNE are prefix opera- 
tions. These prefixes cause the string instruc- 
tion that follows to be repeated CX times or 
(for REPE and REPNE) until the indicated 
condition in the zero flag is no longer met. 
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Description 


Input CX bytes from port DX into ES:[D1] 
Input CX words from port DX into ES:[Dl1] 
Input CX bytes from port DX into ES:[DI] 
Input CX words from port DX into ES:[DI] 
Move CX bytes from [SI] to ES:[D!] - 
Move CX words from [Sl] to ES:[D1] 
Move CX bytes from DS:[SI] to ES:[DI] 
Move CX words from DS:[SI] to ES:[DlI] 
Output CX bytes from [SI] to port DX _ 

_ Output CX words from [SI] to port DX | 
Output CX bytes from DS:[SI] to port DX 
Output CX words from DS:[Sl] to port DX 
Fill CX bytes at ES:[DI] with AL 
Fill CX words at ES:[DI] with AX 
Fill CX bytes at ES:[Dl] with AL 
Fill CX words at ES:[DI] with AX : 
Find nonmatching bytes in ES:[DI] and [Sl] 
Find nonmatching words in ES:[DI] and [S1] © 
Find nonmatching bytes in ES:[DI] and DS:[Sl]] 
Find nonmatching words in ES:[DI] and DS:[SI] 
Find non-AL byte starting at ES:[Dl] 

Find non-AX word starting at ES:[DI] 

Find non-AL byte starting at ES:[DI] 

Find non-AX word starting at ES:[DI] 

Find matching bytes in ES:[DI] and [S!] 
Find matching words in ES:(DI] and [Sl] 
Find matching bytes in ES:[Dl] and DS:[S1] 
Find matching words in ES:[Dl] and DS:[S]] 

_ Find AL, starting at ES:[DIl] | 
Find AX, starting at ES:[Dl] 

Find AL, starting at ES:[Dl] 
Find AX, starting at ES:[D]] 


Thus, REPE stands for “Repeat while equal,” 
REPNE for “Repeat while not equal.” 


The REP prefixes make sense only in the 
contexts listed above. They cannot be applied 
to anything other than string operations. 


Synonymous forms of REPE and REPNE are 
REPZ and REPNZ, respectively. 


The REP prefixes apply only to one string 
instruction at a time. To repeat a block of 
instructions, use a LOOP construct. 
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The precise action for each iteration is as 


follows: 


1. Check the CX register. If it is zero, exit 
the iteration and move to the next 
In.truction. 


2. Acknowledge any pending interrupts. 
3. Perform the string operation once. 


4. Decrement CX by i 
| modified. 


5. Ifthe string operation is SCAS or CMPS, 
check the zero flag. If the repeat condi- 
tion does not hold, then exit the iteration 
and move to the next instruction. Exit if 
the prefix is REPE and ZF=0 (the last 
comparison was not equal), or if the 


no flags are 


prefix is REPNE and ZF=1 (the last 


comparison was equal). 


6. Goto step 1 for the next iteration. 


As defined by the individual string-ops, the 
direction of movement through the block is 
determined by the direction flag. If the direc- 
tion flag i is 1 (STD was executed), SI and/or 
DI start at the end of the block and move 


backward; if the direction flag is 0 (CLD was 


executed), SI and/or DI start at the begin- 
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ning of the block and move forward. 


For repeated SCAS and CMPS operations the 
repeat can be exited for one-of two different 
reasons: the CX count can be exhausted or 
the zero flag can fail the repeat condition. 
Your code will probably want to distinguish 
between the two cases. It’can do so via either: 
the JCXZ instruction or. the conditional jumps 
that test the zero flag OF; INZ, JE, and 
JNE). | 


NOTE 


Not all input/output ports can handle the. 
rate at which the repeated I instruc- 
tions execute. : 


PROTECTED MODE EXCEPTIONS 


None by REP; exceptions can be sence 
when the ee op is oe 


REAL ADDRESS MODE EXCEPTIONS 


None by REP; exceptions can be generated 
when the string- opi is executed, | 
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RET —Return from Procedure 


Clocks’ 


Instruction 


RET 
RET 
RET 
RET dw 
RET dw 
RET dw 


15,pm=25 


Description 


Return to far caller, same privilege 

Return, lesser privilege, switch stacks 

Return to near caller, same privilege 

RET (far), same privilege, pop dw bytes 

RET (far), lesser privilege, pop dw bytes 

RET (near), same privilege, pop dw bytes 
pushed before Call : 


“Add 1 clock for each byte in the next instruction executed. 


FLAGS MODIFIED 
‘None 


FLAGS UNDEFINED 
None 


OPERATION 


RET transfers control to a return address 
located on the stack. The address is usually 
placed on the stack by a CALL instruction; 
in that case, the return is made to the instruc- 
tion that follows the CALL. 


There is an optional numeric parameter to 
RET. It gives the number of stack bytes to be 
released after the return address is popped. 
These bytes are typically used as input 
parameters to the procedure called. 


For the intra-segment return, the address on 
the stack is a 2-byte quantity popped into IP. 
The CS register is unchanged. 
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For the inter-segment return, the address on 
the stack is a 4-byte-long pointer. The offset 
is popped first, followed by the selector. In 
real address mode, CS and IP are directly 
loaded. . 


In protected mode, an inter-segment return 
causes the processor to consult the descriptor 
addressed by the return selector. The AR byte 
of the descriptor must indicate a code segment 
of equal or less privilege (of greater or equal 
numeric value) than the current privilege 
level. Returns to a lesser privilege level cause 
the stack to be reloaded from the value saved 
beyond the parameter block. _ 


The DS and ES segment registers may be set 
to zero by the inter-segment RET instruction. 
If these registers refer to segments which 
cannot be used by the new privilege level, they 
are set to zero to prevent unauthorized access. 


The following list of checks and actions 
describes the protected-mode inter-segment 
return in detail. 
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Inter-segment RET: | 
Second word on stack must be within stack limits else #SS(0) 
Return selector RPL must be = CPL else #GP (return selector) 
If return selector RPL = CPL then 
RETURN TO SAME LEVEL: 
Return selector must be non-null else #GP(0) 
Selector index must be within its descriptor table limits else #GP (selector) 
Descriptor AR byte must indicate code segment else #GP (selector) 
If non-conforming then code segment DPL must equal CPL else #GP (selector) 
If conforming then code segment. DPL must be < CPL else #GP (selector) 
Code segment must be PRESENT else #NP (selector) 
Top word on stack must be within stack limits else #SS(0) 
IP must be in code segment limit else roe 
Load CS:IP from stack , 
Load CS-cache with descriptor 
Increment SP by 4 plus the immediate ones if it exists 
Else 
RETURN TO OUTER PRIVILEGE LEVEL: 
Top (8+immediate) bytes on stack must be within stack limits else #SS(0) 
Examine return CS selector (at SP +2) and associated descriptor: 
Selector must be non-null else #GP(0) 
Selector index must be within its descriptor table limits else #GP (selector) 
Descriptor AR byte must indicate code segment else #GP (selector) 
If non-conforming then code segment DPL must equal return selector RPL else #GP (selector) 
If conforming then code segment DPL must be = return selector RPL else #GP (selector) 
Segment must be PRESENT else #NP (selector) 
~ Examine return SS selector (at SP-+6+imm) and associated descriptor: 
: Selector must be non-null else #GP(0) 
Selector index must be within its descriptor table limits else #GP (selector) 
Selector RPL must equal the RPL of the return CS selector else #GP (selector) 
Descriptor AR byte must indicate a writable data segment else #GP (selector) © 
Descriptor DPL must equal the RPL of the return CS selector else #GP (selector) — . 
Segment must be PRESENT else #NP (selector) | 
IP must be in code segment limit else # GP(0). 
Set CPL to the RPL of the return CS selector 
Load CS:IP from stack 
Set CS RPL to CPL 
Increment SP by 4 plus the immediate offset. if it exists 
Load SS:SP from stack 
Load the CS-cache with the return CS descriptor 
Load the SS-cache with the return SS descriptor 
For each of ES and DS: 
If the current register setting is not valid for the outer level, set the 
register to null (selector = AR = 0) 
To be valid, the register setting must satisfy the following properties: 
Selector index must be within descriptor table limits 
Descriptor AR byte must indicate data or readable code segment 
If segment is data or non-conforming code, then: 
DPL must be = CPL, or | 
DPL must be => RPL 


PROTECTED MODE EXCEPTIONS REAL ADDRESS MODE EXCEPTIONS 
#GP, #NP, or #SS, as described in the above Interrupt 13 if the stack pop wraps around 
listing. from OFFFFH to 0. 
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SAHF —Store AH into Flags 


Opcode Instruction Clocks 


9E SAHF 2 


FLAGS MODIFIED 
Sign, zero, auxiliary carry, parity, carry 


FLAGS UNDEFINED | 
None 


OPERATION 
The flags listed above are loaded with values 


Description 


Store AH into flags SF ZF xx AF xx PF xx CF 


from the AH register, from bits 7, 6, 4, 2, and 
0, respectively. 


PROTECTED MODE EXCEPTIONS 


None 


REAL ADDRESS MODE EXCEPTIONS 
None 
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~ SAL/SAR/SHL/SHR—shift instructions 


Opcode Instruction 


DO SAL 
SAL. 
SAL 
SAL 
SAL 
SAL 
SAR 
SAR" 
SAR 
SAR 
SAR 
SAR 
SHR 
SHR 
SHR 
SHR 
SHR 
SHR 


eb,1. 
eb,CL 
eb,db 
ew, 1 
ew,CL 
ew,db 
eb,1 
eb,CL 
eb,db 
ew, 1 
ew,CL 
ew,db 
eb,1 
eb,CL 
eb,db 
ew, 1 
ew,CL 
ew, db 


2,mem=7 
5,mem=8 
5.mem=8 
2,mem=7 
5,mem=8 
5,mem=8 
2,nem=7 
5,mem=8 
5,mem=8 
2,mem=7 
5,mem=8 
~5,mem=8 
2,mem=7 
5,mem=8 
5,mem=8 
2,mem=7 
5,mem=8 
5,mem=8 


Clocks-N" 


* Add 1 clock to the times shown for each shift performed 


FLAGS MODIFIED 


Overflow (only for single-shift form), carry, 
zero, overflow, parity, sign 


FLAGS UNDEFINED 


Auxiliary carry; also overflow for multibit 
shifts (only). | 


OPERATION — 


SAL (or its synonym SHL) shifts the bits of 
the operand upward. The high-order bit is 
shifted into the carry flag, and the low-order 
bit is set to 0. 


SAR and SHR shift the bits of the operand 
downward. The low-order bit is shifted into 
the carry flag. The effect is to divide the 
operand by 2. SAR performs a signed divide: 
the high-order bit remains the same. SHR 
performs an unsigned divide: the high-order 
bit is set to 0. 


The shift is repeated the number of times 
indicated by the second operand, which is 
either an immediate number or the contents 
of the CL register. To reduce the maximum 
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Description 


Multiply EA byte by 2, once 
Multiply EA byte by 2, CL times | 
Multiply EA byte by 2, db times 
Multiply EA word by 2, once 
Multiply EA word by 2, CL times 
Multiply EA word by 2, dbtimes 
Signed divide EA byte by 2, once 
Signed divide EA byte by 2, CL times 
Signed divide EA byte by 2, db times 
Signed divide EA word by 2, once 
Signed divide EA word by 2, CL times 
Signed divide EA word by 2, dbtimes 

_ Unsigned divide EA byte by 2, once 
Unsigned divide EA byte by 2, CL times 
Unsigned divide EA byte by 2, db times 
Unsigned divide EA word by 2, once 
Unsigned divide EA word by 2, CL times 
Unsigned divide EA word by 2, db times 


execution time, the iAPX 286 does not allow 
shift counts greater than 31. If a shift count 
greater than 31 is attempted, only the bottom 
five bits of the shift count are used. The iAPX 
86 uses all 8 bits of the shift count. 


The overflow flag is set only if the single-shift 
forms of the instructions are used. For left 
shifts, it is set to 0 if the high bit of the answer 
is the same as the result carry flag (i.e., the 
top two bits of the original operand were the 
same); it is set to 1 if they are different. For 
SAR it is set to O for all single shifts. For 
SHR, it is set to the high-order bit of the 
original operand. 


PROTECTED MODE EXCEPTIONS 

#GP(0) if the operand is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 


ES segments; #SS(0) for an illegal address in 


the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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SBB—iInteger Subtraction With Borrow 


Opcode instruction Clocks 


18 /r SBB eb,rb 2,mem=7 


19 /r SBB ew,rw 2,mem=7 


SBB rb,eb 2,mem=7 


SBB rw,ew 2,mem=7 


SBB AL,db 
SBB AX,dw 
SBB eb,db 
-SBB ew,dw 
SBB ew,db 


FLAGS MODIFIED 


Overflow, sign, zero, auxiliary cary, parity, 
carry 


FLAGS UNDEFINED — 
None 


OPERATION 


The second operand is added to the carry flag 
and the result is subtracted from the first 
operand. The first operand is replaced with 
the result of the subtraction, and the flags are 
set accordingly. 
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Description 


Subtract with borrow byte register from EA 
byte — 

Subtract with borrow word register from EA 
word 

Subtract with borrow EA byte from byte 
register 

Subtract with borrow EA word from word 
register 

Subtract with borrow imm. byte from AL 
Subtract with borrow imm. word from AX 
Subtract with borrow imm. byte from EA byte 
Subtract with borrow imm. word from EA word 
Subtract with borrow imm. byte from EA word 


When a byte-immediate value is subtracted 
from a word operand, the immediate an is 
first sign-extended. 


PROTECTED MODE EXCEPTIONS 

#GP(0) if the result is in a non- sea 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an nee address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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SCAS/SCASB/SCASW —Compare String Data 


Opcode Instruction 


SCAS mb 


SCAS mw 
— §CASB 
SCASW 


FLAGS MODIFIED | | | 
Overflow, sign, zero, auxiliary carry, parity, 
carry 


FLAGS aNoRcnie: 
None a 


OPERATION | | 
SCAS subtracts the memory byte or word at 
ES:DI from the AL or AX register. The result 
is discarded; only the flags are set. The 
operand must be addressable from the ES 
register; no segment override is possible. — 


After the comparison is made, DI is automat- 
ically advanced. If the direction flag is 0 
(CLD was executed), DI increments; if the 
direction flag is 1 (STD was executed), DI 


or words. 


Description 


Compare bytes AL - ES:[DlI], advance DI 

Compare words AX - ES:[DI], advance DI 
Compare bytes AL -.ES:[DI], advance DI. 
Compare words AX - ES:[Dl], advance DI 


decrements. DI increments or decrements by 
1 if bytes were compared; by 2 if words were 
compared. , : 

SCAS can be nreceded by the REPE | or 
REPNE prefix for a block search of CX bytes 
Refer to the REP instruction for 
details of this operation. | 


PROTECTED MODE EXCEPTIONS 


#GP(0) for an illegal memory operand cfisc 
tive address in the CS, DS, or-ES segments; 
#SS(0) for an illegal address in the SS 
segment. : 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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SGDT /SIDT —Store Global/Interrupt Descriptor Table 


Register 


Opcode Instruction Clocks 


SGDT m 11 
SIDT m 12 


OF 01 /0 


OF O1 /1° 
FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION . | 

The contents of the descriptor table register 
are copied to six bytes of memory indicated 
by the operand. The LIMIT field of the 
register goes to the first word at the effective 
address; the next three bytes get the BASE 
field of the register; and the last byte is 
undefined. 


SGDT and SIDT appear only in operating 
systems software; they are not used in appli- 
cations programs. 
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Description 


Store Global Descriptor Table register to m 
Store Interrupt Descriptor Table register to m 


PROTECTED MODE EXCEPTIONS 

#UD if the destination operand is a register. 
#GP(0) if the destination is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS | 

These instructions are valid in Real Address 
mode to facilitate power-up or to reset initial- 
ization prior to entering Protected mode. 


#UD if the destination operand is a register. 
Interrupt 13 for a word operand at offset 
OFFFFH. 
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SLDT—Store Local Descriptor Table Register 


Opcode > -- Instruction Clocks me peseription 


OF 00 /0 SLDT ew | 2,mem=3 Store Local Descriptor Table fae to EA 
| oe aS taut: Me te mt word : 


FLAGS MODIFIED | 7 SLDT appears only in | operating systems 
None | | | 7 software. It is not used in applications 
: 3 . programs. 

FLAGS UNDEFINED oH oe PROTECTED MODE EXCEPTIONS 

None. b 4 gt : oe #GP(0) if the destination is in a non-writable 


segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 


Crenenon | ES segments; #SS(0) for an n illegal address 1 in 
The Local Descriptor Table register is stored the SS segment. 7 

in the 2-byte register or memory location 

indicated by the effective address operand. REAL ADDRESS MODE EXCEPTIONS 

This register is a selector that points into the Interrupt 6; SLDT is not Mepis ac aee in 1 Real 
Global Descriptor Table. = © Address mode. 
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SMSW=—sStore Machine Status Word 


Opcode Instruction Clocks Description 


OF O11 /4 SMSW ew 2,mem=3 Store Machine Status Word to EA word 

FLAGS MODIFIED . PROTECTED MODE EXCEPTIONS 

None #GP(0) if the destination is in a non-writable 
segment. #GP(0) for an illegal memory 

FLAGS UNDEFINED 7 | operand effective address in the CS, DS, or 

None ES segments; #SS(0) for an illegal address in 
the SS segment. 

OPERATION 

The Machine Status Word is stored in the REAL ADDRESS MODE EXCEPTIONS 

2-byte register or memory location indicated Interrupt 13 for a word operand at offset 

by the effective address operand. OFFFFH. 
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STC—Set Carry Flag 

Opcode Instruction Clocks Description 

F9 7 STC | bh Set carry flag 
FLAGS MODIFIED =. eas PROTECTED MODE EXCEPTIONS 
Carry=1 : - | | None 
FLAGS UNDEFINED | Ses, REAL ADDRESS MODE EXCEPTIONS 
None = . at ee None 
OPERATION 


The carry flag is set to 1. © 
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STD—Set Direction Flag 


Instruction Clocks 


STD 2 


Description 


Set direction flag so SI and DI will decrement 


FLAGS MODIFIED 
Direction= 1 


FLAGS UNDEFINED. 
None 


OPERATION 


The direction flag is set to 1. This causes all 
subsequent string operations to decrement the 
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index registers (SI and/or DI) 


on which they 
operate. 3 : 


PROTECTED MODE EXCEPTIONS 
None 


REAL ADDRESS MODE EXCEPTIONS 
None 
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STi—Set Interrupt Enable Flag 


Instruction Clocks 


HOME. 3. | 2 


Description 


Set interrupt enable flag, interrupts enabled 


FLAGS MODIFIED 7 
Interrupt=1 (enabled) 


FLAGS UNDEFINED 
None | 


OPERATION 


The interrupts-enabled flag is set to 1. The 
iAPX 286 will now respond to external inter- 
rupts after executing the next instruction if 
the next instruction allows the interrupt flag 
to remain enabled. Therefore, if external 
interrupts are disabled and the user codes 
STI, RET (such as at the end of a subrou- 
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tine) the RET is allowed to execute. before 
external interrupts are recognized. Also,. if 
external interrupts are disabled and the user 
codes STI, CLI, then external interrupts are 
not recognized because the CLI instruction 
clears the interrupt flag during its execution. 


PROTECTED MODE EXCEPTIONS | 

#GP(0) if the current privilege level is bigger 
(has less privilege) than the I/O privilege 
level. 


REAL ADDRESS MODE EXCEPTIONS 
None 
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STOS/STOSB/STOSW—Store String Data 


Instruction 


Opcode 


AA 
AB 
AA 
AB 


STOS mb. 
STOS mw. 
STOSB 

_ STOSW 


FLAGS. MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 


STOS transfers the contents the AL or AX 
register to the memory byte or word at ES:DI. 
The operand must be addressable from the ES 
register; no segment override is possible. 


After the transfer is made, DI is automati- 
cally advanced. If the direction flag is 0 (CLD 
was executed), DI increments; if the direction 
flag is 1 (STD was executed), DI decrements. 
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Description 


Store AL to byte ES:[Dl!], advance DI 
Store AX to word ES:[DI], advance DI 
Store AL to byte ES:[DI], advance DI 
Store AX to word ES:[Dl], advance DI 


DI increments or decrements by 1 if a byte 
was moved; by 2 if a word was moved. 


STOS can be preceded by the REP prefix for 
a block fill of CX bytes or words. Refer to the 
REP instruction for details of this operation. 


PROTECTED MODE EXCEPTIONS | 
#GP(0) if the destination is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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STR—Store Task Register 


Opcode Instruction Clocks 


OF 00 /1 STR ew. | 


2,nem=3 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 

The contents of the Task Register are copied 
to the 2-byte register or memory location 
indicated by the effective address operand. 
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Description 


Store Task Register to EA word 


PROTECTED MODE EXCEPTIONS _ | 
#GP(0) if the destination is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an ues address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 6; STR is not recognized in Real 
adress mode. 
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SUB— Integer Subtraction 


Opcode Instruction Clocks 


28 
29 
2A 
2B 
2C 
2D 
80 
81 
83 


SUB 
SUB 
SUB 
SUB 
SUB 
SUB 
SUB 
SUB 
SUB 


eb,rb 
ew,rw | 
rb,eb 


2,mem=7 
2,nem=7 
2,mem=7 
rw,ew 2,mem= 
AL,db 3 
AX,dw 3 
eb,db 3,mem=7 
ew,dw 3,mem=7 
ew,db 3,mem=7 


FLAGS MODIFIED 


Overflow, sign, zero, auxiliary carry, parity, 
carry 


FLAGS UNDEFINED 
None 


OPERATION 


The second operand is subtracted from the 
first operand, and the first operand is replaced 
with the result. 
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Description 


Subtract byte register from EA byte 
Subtract word register from EA word 
Subtract EA byte from byte register 


Subtract EA word from word register 
Subtract immediate byte from AL 
Subtract immediate word from AX 
Subtract immediate byte from EA byte 
Subtract immediate word from EA word 
Subtract immediate byte from EA word 


When a byte-immediate value is subtracted 
from a word operand, the immediate value is 
first sign-extended. 


PROTECTED MODE EXCEPTIONS | 
#GP(0) if the result is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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TEST —Logical Compare 


Opcode Instruction Clocks 


TEST 
TEST 
TEST ew,rw 
TEST rw,ew 
TEST AL,db 
TEST AX,dw 
TEST eb,db 
TEST ew,dw 


eb,rb 
rb,eb 


2,mem=6 

2,mem=6 
2,mem=6 
2,mem=6 
3 


3 
3,mem=6 
3,mem=6 


FLAGS MODIFIED 
Overflow =0, sign, zero, parity, carry =0 


FLAGS UNDEFINED 
Auxiliary carry 


OPERATION | 

TEST computes the bit-wise logical AND of 
the two operands given. Each bit of the result 
is 1 if both of the corresponding bits of the 
operands are 1; each bit is 0 otherwise. The 
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Description 


AND byte register into EA byte for flags only 
AND EA byte into byte register for flags only 
AND word register into EA word for flags only 
AND EA word into word register for flags only 
AND immediate byte into AL for flags only 
AND immediate word into AX for flags only 
AND immediate byte into EA byte for flags only 
AND immediate word into EA wore for flags 
~ only 


result of the operation is discarded; only the 
flags are modified. | | 


PROTECTED MODE EXCEPTIONS 


#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. : 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for : a word Openers at offset 
OFFFFH. : 
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VERR, VERW —verify a Segment for Reading or Writing 


Opcode Instruction Clocks 


OF 00 /4 
OF 00 /5 


VERR ew — 
VERW. ew 


FLAGS MODIFIED 
Zero 


FLAGS UNDEFINED 
None 


OPERATION 


VERR and VERW expect the 2-byte register 
Or memory operand to contain the value of a 
selector. The instructions determine whether 
the segment denoted by the selector is reach- 
able from the current privilege level; the 
instructions also determine whether it is 
readable or writable. If the segment is deter- 
mined to be accessible, the zero flag is set to 
1; if the segment is not accessible, it is set to 
0. To set ZF, the following conditions must 
be met: 


1. The selector must denote a descriptor 
within the bounds of the table (GDT or 
LDT); that is, the selector must be 
“defined.” 


2. The selector must denote the descriptor 
of a code or data segment. 
3. If the instruction is VERR, the segment 


must be readable. If the instruction is 
VERW, the segment must be a writable 
data segment. 


14,mem=16 
14,mem=16 


B-107 


Description 


Set ZF=1 if seg. can be read, selector ew 
Set ZF=1 if seg. can be written, selector ew 


If the code segment is readable and 
conforming, the descriptor privilege level 
(DPL) can be any value for VERR. 
Otherwise, the DPL must be greater than 
or equal to (have less or the same privi- 
lege as) both the current privilege level 
and the selector’s RPL. 


The validation performed is the same as if the 
segment were loaded into DS or ES and the 
indicated access (read or write) were 
performed. The zero flag receives the result 
of the validation. The selector’s value cannot 
result in a protection exception. This enables 
the software to anticipate possible segment 
access problems. 


PROTECTED MODE EXCEPTIONS 


The only faults that can occur are those 
generated by illegally addressing the memory 
operand which contains the selector. The 
selector is not loaded into any segment regis- 
ter, and no faults attributable to the selector 
operand are generated. 


#GP(0) for an illegal memory operand effec- 
tive address in the CS, DS, or ES segments; 
#SS(0) for an illegal address in the SS 
segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 6; VERR and VERW are not 
recognized in Real Address Mode. 


THE iAPX 286 INSTRUCTION SET 


WAIT —wait Until BUSY Pin Is Inactive (HIGH) — 


Opcode Instruction | Clocks Description 


9B WAIT Wait until BUSY pin is inactive (HIGH) 
FLAGS MODIFIED | to ensure that the numeric instruction being 
None | - | executed is complete, and to check for a 


| possible numeric fault (see below). 
FLAGS UNDEFINED 


None PROTECTED MODE EXCEPTIONS 
#NM if task switch flag in MSW is set. 4MF 


Seana . if 80287 has detected an unmasked numeric 
WAIT suspends execution of 80286 instruc- agin: 

tions until the BUSY pin is inactive (high). 

The BUSY pin is driven by the 80287 REAL ADDRESS MODE EXCEPTIONS 


numeric processor extension. WAIT is issued Same as Protected mode. 


B-108 


THE iAPX 286 INSTRUCTION SET 


XCHG—Exchange Memory /Register with Register 


Instruction Clocks 


XCHG eb,rb 
XCHG rb,eb 
XCHG ew,rw 3,mem=5 
XCHG rw,ew 3,mem=5 
XCHG AX,rw 3 
XCHG rw,AX 3 


3,mem=5 
3,mem=5 


Description 


Exchange byte register with EA byte 
Exchange EA byte with byte register 
Exchange word register with EA word 
Exchange EA word with word register 
Exchange word register with AX 
Exchange with word register 


FLAGS MODIFIED 
None 


FLAGS UNDEFINED 
None 


OPERATION 


The two operands are exchanged. The order 
of the operands is immaterial. BUS LOCK is 
asserted for the duration of the exchange, 
regardless of the presence or absence of the 
LOCK prefix or IOPL. 


PROTECTED MODE EXCEPTIONS 
#GP(0) if either operand is in a non-writeble © 
segment. #GP(0) for an illegal memory | 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an nee address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 


THE iAPX 286 INSTRUCTION SET 


XLAT—Table Look-up Translation 


Opcode Instruction Clocks | Description 
D7 XLAT mb — 5 Set AL to memory byte DS:[BX + unsigned 
| t 2 AL] 
D7 — -  XLATB 5 ~ Set AL to memory byte DS:[BX + unsigned 
oe AL] | 
FLAGS MODIFIED ~ PROTECTED MODE EXCEPTIONS 
None | #GP(0) for an illegal memory operand effec- 
. ts tive address in the CS, DS, or ES segments; 
Sia | | 7 #SS(0) for an illegal address in the SS 
None | a segment. - 
OPERATION 


When XLAT is executed, AL should be the 
unsigned index into a table addressed by 


DS:BX. XLAT changes the AL register from REAL ADDRESS MODE EXCEPTIONS - | , 
the table index into the table entry. BX is Interrupt 13 for a word operand at offset 
unchanged. _ , a OFFFFH. : 
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THE iAPX 286 INSTRUCTION SET 


XOR—Logical Exclusive OR 


Opcode Instruction Clocks 


XOR eb,rb 
XOR ew,rw 
XOR rb,eb 


2,mem=7 
2,mem=7 
2,mnem=7 
2,mem=7 


XOR rw,ew 
XOR AL,db 3 
XOR AX,dw 3 


XOR eb,db 
XOR ew,dw 


3,mem=7 
3,mem=7 


Description 


Exclusive-OR byte register into EA byte 
Exclusive-OR word register into EA word 
Exclusive-OR EA byte into byte register 
Exclusive-OR EA word into word register 
Exclusive-OR immediate byte into AL 
Exclusive-OR immediate word into AX 
Exclusive-OR immediate byte into EA byte 
Exclusive-OR immediate word into EA word 


FLAGS MODIFIED 
Overflow =0, sign, zero, parity, carry=0 


FLAGS UNDEFINED 
Auxiliary carry 


OPERATION 

XOR computes the exclusive OR of the two 
operands. Each bit of the result is | if the 
corresponding bits of the operands are differ- 
ent; each bit is 0 if the corresponding bits are 


the same. The answer replaces the first 
operand. 


PROTECTED MODE EXCEPTIONS 

#GP(0) if the result is in a non-writable 
segment. #GP(0) for an illegal memory 
operand effective address in the CS, DS, or 
ES segments; #SS(0) for an illegal address in 
the SS segment. 


REAL ADDRESS MODE EXCEPTIONS 


Interrupt 13 for a word operand at offset 
OFFFFH. 
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ws High Performance 


nto -_ ‘APX 286/10  —=«-_- ADVANGE INFORMATION 
HIGH PERFORMANCE MICROPROCESSOR 
WITH MEMORY MANAGEMENT AND PROTECTION 
(80286, 80286-6, 80286-4) | 


= Optional Processor Extension: 


Processor (Up to six times iAPX 86) —iAPX 286/20 High Performance 80-bit 


m Large Address Space: Numeric Data Processor | 


—16 Megabytes Physical 


—1 Gigabyte Virtual per Task = Complete System Development 


= Integrated Memory Management, Four- ' Support: 
Level Memory Protection and Support _ —Development Software: Assembler, 
for Virtual Memory and Operating PL/M, Pascal, FORTRAN, and System 
Systems Utilities 

= Two iAPX 86 Upward Compatible | —In-Circuit-Emulator (ICE ™ -286) 
Operating Modes: | 
—IAPX 86 Real Address Mode | a High Bandwidth Bus Interface 
—Protected Virtual Address Mode (8 Megabyte/Sec) 


= Range of clock rates 


—8 MHz for 80286 = ~ = Available in EXPRESS: 


—6 MHz for 80286-6 

—4 MHz for 80286-4 Standard Temperature Range 
The iAPX 286 10 (80286 part number) is an advanced, high-performance microprocessor with specially optimized 
capabilities for multiple user and multi-tasking systems. The 80286 has built-in memory protection that supports 
operating system and task isolation as well as program and data privacy within tasks. An 8 MHz iAPX 286/10 provides 
up to six times greater throughout than the standard 5 MHz iAPX 86/10. The 80286 includes memory management 
capabilities that map up to any. (one gigabyte) of virtual address space per task into 224 bytes (16 megabytes) 
of physical memory. | 


The iAPX 286 is upward compatible with iAPX 86 and 88 software. Using iAPX 86 real address mode, the 80286 is 
object code compatible with existing iAPX 86, 88 software. In protected virtual address mode, the 80286 is source 
code compatible with iAPX 86, 88 software and may require upgrading to use virtual addresses supported by the 
80286’s integrated memory management and protection mechanism. Both modes operate at full 80286 performance 
and execute a superset of the iIAPX 86 and 88's instructions. 


The 80286 provides special operations to support the efficient implementation and execution of operating systems. 
For example, one instruction can end execution of one task, save its state, switch to a new task, load its state, and 
start execution of the new task. The 80286 also supports virtual memory systems by providiag asegment-not-present 


exception and restartable instructions. 
| BH "0 
LATCHES AND DRIVERS - BHE. MIO 
KS at PROCESSO DE) 
PREFETCHER EXTENSION Penk 
SEGMENT INTERFACE PEREQ 


BASES READY, HOLD 
eb te ta BUSCONTROL S1, SO, COD INTA 
SEGMENT SeRWENT LOCK. HLDA 


LIMIT | 
CHECKER 
DATA TRANSCEIVERS Bie206 


6 BYTE 
PREFETCH 


SREUE BUS UNIT (BU) 


INSTRUCTION ! CLK 
UNIT (IU) | Vss 


Figure 1. 80286 Internal Block Diagram 
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Component Pad View—As viewed from _- ~. PC. Board View—As viewed from the 
underside of component when mounted on ~ Component side of the PC. board. 
the board. 


COD/INTA 
MIO 
TOCK 


LIL ILILILILILIL JULIE IL SES L IL IL IL IU 
RAP AP AP AR Ar Arar araracarararcararary : 


cr ar ar ac ararar ar ae ae ar ar ee Ae Ie 


PIN NO. 1 MARK 


NOTE: N.C. pads must not be connected. 


Figure 2. 80286 Pin Configuration 


Table 1. Pin Description 
The following pin function aesenpilens are for the 80286 microprocessor: 


Symbol | Name and Function 


CLK | - System Clock provides the fundamental timing for iAPX 286 systems. It is divided by two inside 
the 80286 to generate the processor clock. The internal divide-by-two circuitry can’ 
be Sones to an external clock generator by a LOW to HIGH transition on the RESET 
input. 


Data Bus inputs data during memory, I/O, and interrupt acknowledge read cycles; autouls data 
during memory and I/O write er The data bus is active HIGH and floats to 3-state OFF during 
bus hold acknowledge. 


Address Bus outputs physical memory and I/O nor addresses. AO is LOW when data is to = 
transferred on pins D7_9. Ao3-A1g are LOW during I/O transfers. The address bus | is active HIGH 
and floats to 3-state OFF during bus hold acknowledge. 


Bus High Enable indicates transfer of data on the upper byte of the data bus, Dy5_g. Eight-bit 
oriented devices assigned to the upper byte of the data bus would normally use BHE to con- 
dition chip select functions. BHE is active LOW and floats to 3-state OFF during bus hold acknowledge. 


-BHE and AO Encodings 


GHE Value | _AdValue seman ee a 


0 Wordtransfer sy 

0 ; Byte transfer on upper half of data bus (D15_8) 
1 0 Byte transfer on lower half of data bus (D7-0) 

1 1 ‘Reserved 
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Table 1. Pin Description (Cont.) 


the type of bus cycle. The bus is in a T, state whenever one or both are LOW. ST and SO are 
active LOW and float to 3-state OFF during bus hold acknowledge. | 


80286 Bus Cycle Status Definition 
COD/INTA | mio | st | so | Bus cycle initiated . 


0 (LOW) Interrupt acknowledge 
Reserved 
Reserved "= _ 
None; nota status cycle 
IF A1 = 1 then halt; else shutdown 
Memory data read 
Memory data write 
None; not a status cycle 
Reserved 
/O read 
I/O write 

~ None; not a status cycle 
Reserved 
Memory instruction read 
Reserved 
None; not a status cycle 


—-o7rfrOoOr7rOoO7r70707t0+07-0 


Memory/IO Select distinguishes memory access from I/O access: If HIGH during Ts, a memory 
cycle or a halt/shutdown cycle is in progress. If LOW, an I/O cycle or an interrupt acknowledge cycle 
is in progress. M/IO floats to 3-state OFF during bus hold acknowledge. 


Code/Interrupt Acknowledge distinguishes instruction fetch cycles from memory data read cycles. 
Also distinguishes interrupt acknowledge cycles from I/O cycles. COD/INTA floats to 3-state OFF 
during bus hold acknowledge. Its timing is the same as M/IO. 


Bus Lock indicates that other system bus masters are not to gain control of the system bus following 
the current bus cycle. The LOCK signal may be activated explicitly by the “LOCK” instruction prefix 
or automatically by 80286 hardware during memory XCHG instructions, interrupt acknowledge, or 
_ descriptor table access. LOCK is active LOW and floats to 3-state OFF during bus hold acknowledge. 


Bus Ready terminates a bus cycle. Bus cycles are extended without limit until terminated by READY 
LOW. READY is an active LOW synchronous input requiring setup and hold times relative to the | 
system clock be met for correct operation. READY is ignored during bus hold acknowledge. 


Bus Hold Request and Hold Acknowledge control ownership of the 80286 local bus. The HOLD 
input allows another local bus master to request control of the local bus. When control is granted, the 
80286 will float its bus drivers to 3-state OFF and then activate HLDA, thus entering the bus hold 
- acknowledge condition. The local bus will remain granted to the requesting master until HOLD 
- becomes inactive which results in the 80286 deactivating HLDA and regaining control of the local 
bus. This terminates the bus hold acknowledge condition. HOLD may be asynchronous to the system 
clock. These signals are active HIGH. 


Interrupt Request requests the 80286 to suspend its current program execution and service a 
pending external request. Interrupt requests are masked whenever the interrupt enable bit in the 
flag word is cleared. When the 80286 responds to an interrupt request, it performs two interrupt 
acknowledge bus cycles to read an 8-bit interrupt vector that identifies the source of the interrupt. To 
assure program interruption, INTR must remain active until the first interrupt acknowledge cycle is 
completed. INTR is sampled at the beginning of each processor cycle and must be active HIGH at 
least two processor cycles before the current instruction ends in order to interrupt before the next 
instruction. INTR is level sensitive, active HIGH, and may be asynchronous to the system clock. 


Non-maskable Interrupt Request interrupts the 80286 with an internally supplied vector value of 
2. No interrupt acknowledge cycles are performed. The interrupt enable bit in the 80286 flag word 
does not affect this input. The NMI input is active HIGH, may be asynchronous to the system clock, 
and is edge triggered after internal synchronization. For proper recognition, the input must have 
been previously LOW for at least four system clock cycles and remain HIGH for at least four system 
clock cycles. 
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Table 1. Pin Description (Cont. ) 


Processor Extension Operand Request and Acknowledge extend the memory management and protection, 

_ capabilities of the 80286 to processor extensions. The PEREQ input requests the 80286 to perform a data, 
operand transfer for a processor extension. The PEACK output signals the processor extension when the, 
requested operand is being transferred. PEREQ is active HIGH and floats to 3-state OFF during bus hold| 
acknowledge. PEACK may be asynchronous to the system clock. PEACK is active LOW. 


Processor Extension Busy and Error indicate the operating condition of a processor extension 
to the 80286. An active BUSY input stops 80286 program execution on WAIT and some ESC 
instructions until BUSY becomes inactive (HIGH). The 80286 may be interrupted while waiting 
for BUSY to become inactive. An active ERROR input causes the 80286 to perform a processor 
extension interrupt when executing WAIT or some ESC instructions. These inputs are active 
LOW and may be asynchronous to the system clock. 


System Reset clears the internal logic of the 80286 and is active HIGH. The 80286 may be re- 
initialized at any time with a LOW to HIGH transition on RESET which remains active for more than 

_ 16 system clock cycles. During RESET active, the output pins of the 80286 enter the state shown 
below: | 


80286 Pin State During Reset 


[Pinvalue[PinNames SS CC“‘~“~*~*~*™ 


1 (HIGH) S0,S1, PEACK, A23-A0, BHE, LOCK 
0 (LOW) M/IO, COD/INTA, HLDA 
3-state OFF D15-Do 


Operation of the 80286 begins after a HIGH to LOW transition on RESET. The HIGH to LOW transi- 
tion of RESET must be synchronous to the system clock. Approximately 50 system clock cycles are 
required by the 80286 for internal initializations before the Met bus cycle to fetch code from the 
power-on execution address is performed. 


A. LOW to HIGH transition of RESET synchronous to the svetenis clock will end a processor’ 
cycle at the second HIGH to LOW transition of the. system clock. The LOW to HIGH transition 
of RESET may be asynchronous to the system clock; however, in this case it cannot be prede- 

_ termined which phase of the processor clock will occur during the next system clock period. 
Synchronous LOW to HIGH transitions of RESET are required only for systems where the 
processor clock must be phase synchronous to another clock. 


. System Ground: 0 Volts. 
System Power: +5 Volt Power Supply. 


Substrate Filter Capacitor: a 0.047uf + 20% 12V capacitor must be connected between this pin 
and ground. This capacitor filters the output of the internal substrate bias generator. A maximum DC 
: leakage current of 1 ais allowed through the capacitor. 


For correct operation of the 80286, the substrate bias generator must charge this capacitor to its 
operating voltage. The capacitor chargeup time is 5 milliseconds (max.) after Voc and CLK reach 
their specified AC and DC. parameters. RESET may be applied to prevent spurious activity by the 
CPU during this time. After this time, the 80286 processor clock can be phase synchronized to 
another clock by pulsing RESET LOW synchronous to the system clock. 
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FUNCTIONAL DESCRIPTION 


Introduction 


The 80286 is an advanced, high-performance micro- 
processor with specially optimized capabilities for mul- 
tiple user and multi-tasking systems. Depending on the 
application, the 80286’s performance is up to six times 
faster than the standard 5 MHz 8086's, while providing 
complete upward software compatibility with Intel’s iAPX 
86, 88, and 186 family of CPU’s. 


The 80286 operates in two modes: iAPX 86 real address 
mode and protected virtual address mode. Both modes 
execute a superset of the iAPX 86 and 88 instruction set. 


In iAPX 86 real address mode programs use real ad- 
dresses with up to one megabyte of address space. Pro- 
grams use virtual addresses in protected virtual: address 
mode, also called protected mode. In protected mode, 
the 80286 CPU automatically maps 1 gigabyte of virtual 
addresses per task into a 16 megabyte real address 
space. This mode also provides memory protection to 


iAPX 286/10 


isolate the operating system and ensure privacy of each | 


tasks’ programs and data. Both modes provide the same 
base instruction set, registers, and addressing modes. 


The following Functional Description describes first, the 
base 80286 architecture common to both modes, sec- 
ond, iAPX 86 real address mode, and third, protected 
mode. 


IAPX 286/10 BASE ARCHITECTURE 


The iAPX 86, 88, 186, and 286 CPU family all contain 
the same basic set of registers, instructions, and ad- 
dressing modes. The 80286 processor is upward com- 
patible with the 8086, 8088, and 80186 CPU's. 


SPECIAL 
REGISTER 
FUNCTIONS 


16-BIT 
REGISTER 
NAME 


BYTE 
ADDRESSABLE 
(8-BIT 
REGISTER 
NAMES 
SHOWN) 


MULTIPLY/DIVIDE 
0 INSTRUCTIONS 


BASE REGISTERS 


INDEX REGISTERS 


STACK POINTER 


GENERAL 
REGISTERS 


LOOP/SHIFT/REPEAT COUNT 


Register Set 


The 80286 base architecture has fifteen registers as 
shown in Figure 3. These registers are grouped into the 
following four categories: | 


General Registers: Eight 16-bit general purpose reg- 
isters used to contain arithmetic and logical operands. 
Four of these (AX, BX, CX, and DX) can be used either 
in their entirety as 16-bit words or split into pairs of sep- 
arate 8-bit registers. 


Segment Registers: Four 16-bit special purpose reg- 
isters select, at any given time, the segments of memory 
that are immediately addressable for code, stack, and 
data. (For usage, refer to Memory Organization.) 


Base and Index Registers: Four of the general pur- 
pose registers may also be used to determine offset ad- 
dresses of operands in memory. These registers may 
contain base addresses or indexes to particular loca- 
tions within a segment. The addressing mode deter- 
mines the specific registers used for operand address 
calculations. : | 


Status and Control Registers: The 3 16-bit special 
purpose registers in figure 3A record or control cer- 
tain aspects of the 80286 processor state including 
the Instruction Pointer, which contains the offset 
address of the next sequential instruction to be 
executed. 


CODE SEGMENT SELECTOR 


DATA SEGMENT SELECTOR 
STACK SEGMENT SELECTOR 
EXTRA SEGMENT SELECTOR: 
SEGMENT REGISTERS 


0: 
FLAGS 


INSTRUCTION POINTER 
MACHINE STATUS WORD 


STATUS AND CONTROL 
REGISTERS 


Figure 3. Register Set 
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STATUS FLAGS: 

- CARRY — 
‘PARITY 
AUXILIARY CARRY. 
ZERO 
SIGN 
OVERFLOW 


11-10 


MSW: 


NNN see pis | 


gi MO A en Figure 3a. Status and Control Register Bit Functions 


Flags Word Description. | | 
The Flags word (Flags) records specific characteristics 


of the result of logical and arithmetic instructions (bits 0, 
2,4, 6, 7, and 11) and controls the operation of the 80286 
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PROCESSOR EXTENSION EMULATED 
MONITOR PROCESSOR EXTENSION 


within a given operating mode (bits 8 and 9). Flags is a 


16-bit register. The 
Table2, 


Instruction Set | 
_ The instruction set is divided into seven categories: data 
transfer, arithmetic, shift/rotate/logical, string manipula- 
tion, control transfer, high level instructions, and pro- 
cessor control. These categories are summarized in 
Figure 4. 


An 80286 instruction can reference zero, one, or two 
operands; where an operand resides in a register, in the 
instruction itself, or in memory. Zero-operand instruc- 
tions (e.g. NOP and HLT) are usually one byte long. One- 
operand instructions (e.g. INC and DEC) are usually two 

bytes long but some are encoded in only one byte. One- 
operand instructions may reference a register or mem- 
ory location. Two-operand instructions permit the follow- 
ing six types of instruction operations: | 


—Register to Register — 
—Memory to Register 
—Immediate to Register 
—Memory to Memory 
—Register to Memory 
—Immediate to Memory 


‘function of the flag bits is given in ~ 


ADVANCE INFORMATION 


CONTROL FLAGS: 
TRAP FLAG 

~ INTERRUPT ENABLE 

DIRECTION FLAG 


SPECIAL FIELDS: 
-VO PRIVILEGE LEVEL .. 
NESTED TASK FLAG © 


’ TASK SWITCH 


PROTECTION ENABLE 


Carry Flag—Set on high-order bit 
carry or borrow; cleared otherwise 
Parity Flag—Set if low-order 8 bits 
of result contain an even number of | 


|. 4-bits; cleared otherwise 
4 AF 
low order four bits of AL; cleared 
otherwise 
F | Zero Flag—Set if result is zero; 
cleared otherwise 


Set on carry from or borrow to the 


Z 
= SF Sign Flag—Set equal to high-order 


Overflow Flag—Set if result is a too- 
large pusitive number or a too-small 
negative number (excluding sign-bit) 
to fit in destination operand; cleared 
otherwise - 


Single Step Flag—Once set, a sin- 
gle step interrupt occurs after the 
next instruction executes. TF is 
cleared by the single step interrupt. 


Interrupt-enable Flag—When set, 
maskable interrupts will cause the 
CPU to transfer control to an inter- 
rupt vector specified location. 


Direction Flag—Causes string 
instructions to auto decrement 
the appropriate index registers 
when set. Clearing DF causes 
auto increment. 
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Two-operand instructions (e.g. MOV and ADD) are usu- 
ally three to six bytes long. Memory to memory opera- 
tions are provided by a special class of string instructions 
requiring one to three bytes. For detailed instruction for- 
mats and encodings refer to the instruction set summary 
at the end of this document. 


For detailed operation and usage of each instruction, see 
Appendix of iAPX 286 Programmer's Reference Manual 
(Order No. 210498) 


M 
PUSH 


Pop all registers from stack 
XCHG Exchange byte or word 


OV 
XLAT 
IN 
OUT 
FLAG TRANSFER 
| LAHF | Load AH register from flags - 

SAHF 


Figure 4a. Data Transfer Instructions 


PUSHA 
POPA 


LEA 
LDS 
LES 


| 
| 
| REP Repeat 
REPE/REPZ 
_REPNE/REPNZ 


Figure 4c. String Instructions 
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{NOT 
And” byte or word 


ADVANCE INFORMATION 


ADDITION 


Add byte or word with carry 


| ADC | Addbyteorwordwithearry | 
DAA 


ASCII adjust for addition 
Decimal adjust for addition 


SUBTRACTION 


| SUB | Subtract byte or word 
| SBB | Subtract byte or word with borrow 
| DEC | Decrement byte or word by 1 


| CMP | Compare byte or word 
ASCII adjust for subtraction 


Decimal adjust for subtraction | 
MULTIPLICATION | 


ASCIl adjust for multiply | 
CWD 


Figure 4b. Arithmetic Instructions 


SUB 
- SBB 
DEC 
CMP 
AAS 
DAS 


LOGICALS 


‘Not” byte or word 


~ ROTATES 
| ROR | Rotaterightbyteorword 


Figure 4d. Shift/Rotate/Logical Instructions 


“Inclusive or” byte or word | 
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CONDITIONAL TRANSFERS 
- Jump ifabove/not below norequal . 
_ Jump if above or equal/not below 
: Jump if below/not above nor equal 
: Jump if below or equal/not above 
. Jump if carry | , 
Jump if equal/zero 
Jump if greater/not less nor equal 
| Jump if greater or equal/not iess - 
Jump ifless/not greaternorequal 
Jump if less or equal/not greater | 
Jump if not carry 


~ JA/JNB 
JAE/JN 
JB/JNAE 
JBE/JNA 


je) 


c 
OQ 


( O 
mi 


op) 


JE/JZ 
JG/JNLE 
JGE/JNL 
JL/INGE 
JLE/JNG 
JNC 
JNE/JNZ 
JN 
JNP/JPO 
JN 


Jump if not overflow 

Jump if not parity/parity odd 
Jump if not sign 

Jump if overflow 

Jump if parity/parity even 
Jump if sign 


G: 
O 


} 


JP/JPE 


qa 
1o) 
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UNCONDITIONAL TRANSFERS 


RET | - 'e 
LOOP | Loop . | o 


LOOPE/LOOPZ , i 
LOOPNE/LOOPNZ Loop if not equal/not zero 


JCXZ Jump if register CX = 0 


Jump if not equal/not zero 


_Interrupt 


INTO Interruptifoverflow _ 


ADVANCE INFORMATION 


ITERATION CONTROLS 


Loop if equal/zero 


INTERRUPTS 


Interrupt return 


Figure 4e. Program Transfer Instructions 


FLAGOPERATIONS 
Set carry flag 
Clear carry flag 
Complement carry flag 
Set direction flag 
CLD Clear direction flag 
Set interrupt enable flag 
CLI Clear interrupt enable flag 
EXTERNAL SYNCHRONIZATION 
Halt until interrupt or reset 
Wait for BUSY not active | 
Escape to extension processor 
Lock bus during next instruction 
| NO OPERATION | 
-_Nooperation 
EXECUTION ENVIRONMENT CONTROL 


{| LMSW ~ Load machine status word 


SMSW Store machine status word 


: 


a/9}e]9 
DIs]olo 


2) 
= 
QO 


m dp) 
|S = 
O15 


Figure 4f. Processor Control Instructions 


[_ENTeR | 


LEAVE 
BOUND 


Figure 4g. High Level Instructions 


Format stack for procedure entry 
Restore stack for procedure exit 
Detects values outside prescribed range 
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Memory Organization | 2 

Memory is organized as sets of variable length seg- 
ments. Each segment is a linear contiguous sequence 
of up to 64K (216) 8-bit bytes. Memory is addressed us- 
ing a two-component address (a pointer) that consists | 
of a 16-bit segment selector, and a 16-bit offset. The 
segment selector indicates the desired segment in 
memory. The offset component indicates the desired byte 
address within the segment. ve 


32-BIT POINTER 


SEGMENT . OFFSET 


31 0 


ee SELECTED 
= 
ELECTED SEGMENT 


we 
MEMORY — 


Figure 5. Two Component Address 
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Table 3. Segment Register Selection Rules 


External (Global) Data Extra (ES 


All instructions that address operands in memory must 
specify the segment and the offset. For speed and com- 
pact instruction encoding, segment selectors are usu- 
ally stored in the high speed segment registers. An 
instruction need specify only the desired segment reg- 
ister and an offset in order to address a memory operand. 


Most instructions need not explicitly specify which seg- 
ment register is used. The correct segment register is 
automatically chosen according to the rules of Table 3. 
These rules follow the way programs are written (see 
Figure 6) as independent modules that require areas for 
code and data, a stack, and access to external data areas. 


Special segment override instruction prefixes allow 
the implicit segment register selection rules to be 
overridden for special cases. The stack, data, and 
extra segments may coincide for simple programs. 
To access operands not residing in one of the four 
immediately available segments, a full 32-bit pointer 
or anew segment selector must be loaded. 


Addressing Modes 


The 80286 provides a total of eight addressing modes 
for instructions to specify operands. Two addressing 
modes are provided for instructions that operate on reg- 
ister or immediate operands: 


Register Operand Mode: The operand is located in 
one of the 8 or 16-bit general registers. 


immediate Operand Mode. The operand is included 
in the instruction. 


Six modes are provided to specify the location of an op- 
erand in a memory segment. A memory operand ad- 
dress consists of two 16-bit components: segment 
selector and offset. The segment selector is supplied by 
a segment register either implicitly chosen by the ad- 
dressing mode or explicitly chosen by a segment over- 
ride prefix. The offset is calculated by summing any 
combination of the following three address elements: 


the displacement (an 8 or 16-bit immediate value 
contained in the instruction) 


the base (contents of either the BX or BP base 
registers) 


the index (contents of either the SI or DI index registers) 


Segment Register Implicit Segment. | 
Used Selection Rule 
| Instructions Code (CS) Automatic with instruction prefetch | | 
Stack Stack (SS) All stack pushes and pops. Any memory reference which uses BP as a 
base register. | oie oe 
| localData (DS 
) 


All data references except when relative to stack or string destination _- 


Alternate data segment and destination of string operation 


CODE 
MODULE A 
DATA 


PROCESS 
STACK 


PROCESS 
DATA 
BLOCK 1 


PROCESS 
DATA 
BLOCK 2 


| | 
a 
MEMORY 


Figure 6. Segmented Memory Helps 
Structure Software 


Any carry out from the 16-bit addition is ignored. Eight- 
bit displacements are sign extended to 16-bit values. 


Combinations of these three address elements define 
the six memory addressing modes, described below. -. 
Direct Mode: The operand’s offset is contained in the 
instruction as an 8 or 16-bit displacement element... 
Register Indirect Mode: The operand's offset is in one 
of the registers SI, DI,BX,orBP. | ee oe 
Based Mode: The operand’s offset is the sum of an 8 or 


16-bit displacement and the contents of a base register 
(BX or BP). 
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Indexed Mode: The operand'’s offset is the sum of an 8 
or 16-bit displacement and the contents of an index reg- 
ister (Slor Dl). 


Based Indexed Mode: The operand’s aticett is the sum 
of the contents of a base register and an index register. 


Based Indexed Mode with Displacement: The oper- 


and’s offset is the sum of a base register’s contents, an. 


index register s contents, and an 8 or 16-bit displacement. 


Data Types | a 
The 80286 directly supports the following data types: 


Integer: A signed binary numeric value con- 
| tained in an 8-bit byte or a 16-bit word. 
All operations assume a 2’s comple- 
ment representation. Signed 32 and 64- 
bit integers are supported using the iAPX 
286/20 Numeric Data Processor. 


Ordinal: An unsigned binary numeric value con- 


_ tained in an 8-bit byte or 16-bit word. 


Pointer: A 32- -bit quantity, composed of a seg- 
| ment selector component and an offset 
component. Each veemponent is a 16-bit 


word. 
String: | 
words. A string may contain from 1 byte 
| ‘to 64K bytes. 
ASCII: 
and control characters using the ASCII 
standard of character representation. 


BCD: A byte (unpacked) representation of the 
| decimal digits 0-9. 

A byte (packed) representation of two 
decimal digits 0-9 storing one digit in 
each nibble of the byte. 


A signed 32, 64, or 80-bit real number 


Packed BCD: 


Floating Point: 


are supported using the iAPX 286/20 
Numeric Processor configuration.) 


Figure 7 ainpnically represents the data types sup- 
ported by the iAPX 286. 


I/O Space 


The I/O space consists of 64K 8-bit or 32K 16-bit ports. 
I/O instructions address the I/O space with either an 8- 
_ bit port address, specified in the instruction, or a 16-bit 
port address in the DX register. 8-bit port addresses are 
zero extended such that Ays—Ag are LOW. I/O port ad- 
dresses 00F8(H) through OOFF(H) are reserved. 


A pantiguou sequence of bytes or | 


A byte representation of alphanumeric | 


representation. (Floating point operands | 
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7 0 
. SIGN BIT —| j 
MAGNITUDE 


SIGNED 
BYTE 


7 0 
UNSIGNED 
BYTE 
_MSB 
MAGNITUDE 
114 +1 g7 O 4g 
SIGNED 
WORD 


SIGN BIT~,“MSB 
- MAGNITUDE 


+3 +2 


SIGNED 31 1615 +1 
DOUBLE 
WORD*. 
SIGN aT LMSB 
MAGNITUDE 
7 Ge BM Ne 
SIGNED : i 


QUAD 

WORD* 

SIGN BIT 4 MSB 

" MAGNITUDE 
15 Ot eS, 
UNSIGNED 
WORD 
_MSB 

MAGNITUDE 
+N .“ 
BINARY 
CODED 


DECIMAL 
BCD BCD 


- DIGIT 1 DIGIT 0 


+1 0. 


7 07 0 


ASCII 
ea 


7 TTT 


MOST. 
SIGNIFICANT DIGIT 


ASCII 


ASC 
agi ae Neer oe 


PACKED 
_ BCD 


TEAST AST 
SIGNIFICANT DIGIT 


| 715 +N g +1 go 715 9 
STRING 


BYTE/WORD N 


715 


BYTE/WORD 1 BYTE/WORD 0 


+3 +2 +1 a) 


31 
POINTER 


16 15 0 


SELECTOR 


OFFSET 
79 +9 +8 +7 


+6 +5 +4 43 +2 
FLOATING 


POINT* 
SIGN BIT 


~ EXPONENT MAGNITUDE 


“Supported by iAPX 286 20 Numeric Data Processor Configuration 


Figure 7, iAPX 286 Supported Data Types 


210253-006 
AFN-02060D 


IAPX 286/10 


ADVANCE INFORMATION 


Table 4. Interrupt Vector Assignments 


Divide error exception 


NMI interrupt 
Breakpoint interrupt 


Intel reserved—do not use 


Interrupts 


An interrupt transfers execution to a new program loca- 
tion. The old program address (CS:IP) and machine state 
(Flags) are saved on the stack to allow resumption 
of the interrupted program. Interrupts fall into three 
classes: hardware initiated, INT instructions, andinstruc- 
tion exceptions. Hardware initiated interrupts occur 
in response to an external input and are classified 
as non-maskable or maskable. Programs may cause 
an interrupt with an INT instruction. Instruction excep- 
tions occur when an unusual condition, which pre- 
vents further instruction processing, is detected while 
attempting to execute an instruction. The return ad- 
dress from an exception will always point at the in- 
struction causing the exception and include any leading 
instruction prefixes. 


A table containing up to 256 pointers defines the proper 
interrupt service routine for each interrupt. Interrupts O— 
31, some of which are used for instruction exceptions, 
are reserved. For each interrupt, an 8-bit vector must be 
supplied to the 80286 which identifies the appropriate 
table entry. Exceptions supply the interrupt vector inter- 
nally. INT instructions contain or imply the vector and 
allow access to all 256 interrupts. Maskable hardware 
initiated interrupts supply the 8-bit vector to the CPU 
during an interrupt acknowledge bus sequence. Non- 
maskable hardware interrupts use a predefined inter- 
nally supplied vector. 


MASKABLE INTERRUPT (INTR) 


The 80286 provides a maskable hardware interrupt re- 
quest pin, INTR. Software enables this input by setting 


Interrupt 
Number 


Single step interrupt a fae ee 


, 
2 
4 
|_Invalidopcodeexception =| 
ae 
| 815 | 


| INTOdetectedovertiowexception | 4 PINTO, PN 
Any undefined opcode 

7 
ee (ne EO eee Sa 
|_Processorextensionerrorinterrupt_ | 16 | ESCorwarT | 
intetreserved—donotuse CdS S|C~*dSC (‘SOOOCOC*™*™CS 
User defined | sees | 


Does Return Address 
Point to Instruction 
Causing Exception? © 

Yes 


Related 
Instructions 


DIV, IDIV 


INT 2 or NMI pin 
INTS ee 


the interrupt flag bit (IF) in the flag word. All 224 user- 
defined interrupt sources can share this input, yet they 
can retain separate interrupt handlers. An 8-bit vector 
read by the CPU during the interrupt acknowledge se- 
quence (discussed in System Interface section) identi- 
fies the source of the interrupt. 


Further maskable interrupts are disabled while servic- 
ing an interrupt by resetting the IF but as part of the 
response to an interrupt or exception. The saved flag 
word will reflect the enable status of the processor prior 
to the interrupt. Until the flag word is restored to the flag 
register, the interrupt flag will be zero unless specifically 
set. The interrupt return instruction includes restoring 
the flag word, thereby restoring the original status of IF. 


NON-MASKABLE INTERRUPT REQUEST (NMI) 


A non-maskable interrupt input (NMI) is also provided. 
NMI has higher priority than INTR. A typical use of NMI 
would be to activate a power failure routine. The activa- 
tion of this input causes an interrupt with an internally 
supplied vector value of 2. No external interrupt ac- 
knowledge sequence is performed. 


~ While executing the NMI servicing procedure, the 80286 


will service neither further NMI requests, INTR re- 
quests, nor the processor extension segment overrun 
interrupt until an interrupt return (IRET) instruction is ex- 


~- ecuted or the CPU is reset. If NMI occurs while currently 


C-11 


servicing an NMI, its presence will be saved for servic- 
ing after executing the first IRET instruction. IF is cleared 
at the beginning of an NMI interrupt to inhibit INTR 
interrupts. | 
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SINGLE STEP INTERRUPT 


The 80286 has an internal interrupt that allows pro- 
grams to execute one instruction at a time. It is called the 
single step interrupt and is controlled by the single step 
flag bit (TF) in the flag word. Once this bit is set, an inter- 
nal single step interrupt will occur after the next instruc- 
tion has been executed. The interrupt clears the TF bit 
and uses an internally supplied vector of 1. The IRET 
instruction is used to set the TF bit and transfer control 
to the next instruction to be single stepped. 


Interrupt Priorities 

When simultaneous interrupt requests occur, they are 
processed in a fixed order as shown in Table 5. Interrupt 
processing involves saving the flags, return address, and 


setting CS:IP to point at the first instruction of the inter- 
rupt handler. If other interrupts remain enabled they are. . 


processed before the first instruction of the current in- 
terrupt handler is executed. The last interrupt processed 
is therefore the first one serviced. 


_ Table 5. Interrupt Processing Order 


[order [interrupt 


a * 


INT instruction 


_ | Processor extension segment overrun 


Initialization and Processor Reset 


Processor initialization or start up is accomplished by 
driving the RESET input pin HIGH. RESET forces the 
80286 to terminate all execution and local bus activity. 
No instruction or bus activity will occur as long as RE- 
SET is active. After RESET becomes inactive and an 
internal processing interval elapses, the 80286 begins 
execution in real address mode with the instruction at 


physical location FFFFFO(H). RESET also sets some. 


registers to predefined values as shown as shown in 
Table 6. | 


iAPX 286/10 


es INTR | 


ADVANCE INFORMATION 


Table 6. 80286 Initial Register State after RESET 
0002(H) 


Flag word 

Machine Status Word 

Instruction pointer 

Code segment 

Data segment 

Extra segment 
Stack segment 


Machine Status Word Description 


The machine status word (MSW) records when a task 
switch takes place and controls the operating mode of 
the 80286. It is a 16-bit register of which the lower four 


bits are used. One bit places the CPU into protected 


mode, while the other three bits, as shown in Table 7, 


_ control the processor extension interface. After RESET, 


this register contains FFFO(H) which places the 80286 
in iAPX 86 real address mode. 


Table 7. MSW Bit Functions 


Protected mode enable places the 


80286 into protected mode and can 
not be cleared except by RESET. 


Monitor processor extension al- 
lows WAIT instructions to cause a 
processor extension not present 
exception (number 7). 


Emulate processor extension 
causes a processor extension not 
present exception (number 7) on 
ESC instructions to allow emulat- 
ing a processor extension. 


Task switched indicates the next 
instruction using a processor ex- 
tension will cause exception 7, al- 
lowing software to test whether the 
current processor extension con- 
text belongs to the current task. 


The LMSW and SMSW instructions can load and store 
the MSW in real address mode. The recommended use 
of TS, EM, and MP is shown in Table 8. . : 


Table 8. Recommended MSW Encodings For Processor Extension Control | 


Initial encoding af 
iAPX 86,88. : 


Sit 


Oana 


te! 


A processor extension exists. 


No processor extension is available. Software will emulate its function. 


No processor extension is available. Software will emulate its function. The current — 
processor extension context may belong to another task. . 


A processor extension exists. The current processor extension context may belong to. 
another task. The Exception 7 on WAIT allows software to test for an error pending 
from a previous processor extension operation. 


Instructions 
- Causing 
Exception 7 
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Halt 


The HLT instruction stops program execution and pre- 
vents the CPU from using the local bus until restarted. 
Either NMI, INTR with IF = 1, or RESET will force the 
80286 out of halt. If interrupted, the saved CS:IP will 
point to the next instruction after the HLT. 


iAPX 86 REAL ADDRESS MODE 


The 80286 executes a fully upward-compatible superset 
of the 8086 instruction set in real address mode. In real 
address mode the 80286 is object code compatible with 
8086 and 8088 software. The real address mode archi- 
tecture (registers and addressing modes) is exactly as 
described in the iAPX 286/10 Base Architecture section 
of this Functional Description. 


Memory Size | 
Physical memory is a contiguous array of up to 
1,048,576 bytes (one_megabyte) addressed by pins 
Ap through Ayg and BHE. Asp through Ao3 may be 
ignored. 


Memory Addressing 


In real address mode physical memory is a contiguous 
array of up to 1,048,576 bytres (one megabyte) addressed 
by pins Ag through A; and BHE. A», through A»3 may be 
ignored. 


The selector portion of a pointer is interpreted as the 
upper 16 bits of a 20-bit segment address. The lower 
four bits of the 20-bit segment address are always zero. 
Segment addresses, therefore, begin on multiples of 16 
bytes. See Figure 8 for a graphic representation of ad- 
dress formation. 


All segments in real address mode are 64K bytes in size 
and may be read, written, or executed. An exception or 
interrupt can occur if data operands or instructions at- 
tempt to wrap around the end of a segment (e.g. a word 
with its low order byte at offset FFFF(H) and its high 
order byte at offset O000(H)). If, in real address mode, 
the information contained in a segment does not use the 
full 64K bytes, the unused end of the segment may be 
overlayed by another segment to reduce physical mem- 
ory requirements. 


Reserved Memory Locations 


The 80286 reserves two fixed areas of memory in real 
address mode (see Figure 9); system initialization area 
and interrupt table area. Locations from addresses 
FFFFO(H) thorugh FFFFF(H) are reserved for system 
initialization. Initial execution begins at location FFFFO(H). 
Locations 00000(H) through OO3FF(H) are reserved for 
interrupt vectors. 


ADVANCE INFORMATION 


_ 15 0 


OFFSET 
0000 OFFSET ADDRESS 


15 


SEGMENT SEGMENT 
SELECTOR ADDRESS 


20-BIT PHYSICAL 
MEMORY ADDRESS | 


Figure 8. iAPX 86 Real Address Mode Address 
Calculation 


FFFFFH 
RESET BOOTSTRAP : 

RAM JUMP , 
PROGRAM J | eer 


3FFH 
INTERRUPT POINTER 
FOR VECTOR 255 
3FCH 


INTERRUPT POINTER 
FOR VECTOR 1 
INTERRUPT POINTER 
FOR VECTOR 0 


INITIAL CS:IP VALUE IS F000:FFFO. 


Figure 9. iAPX 86 Real Address Mode Initially 
Reserved Memory Locations 
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Interrupt 
Number 


Processor extension segment overrun. 
interrupt 


Segment overrun exception 


Interrupts | 


Table 9 shows the interrupt vectors reserved for excep- 


tions and interrupts which indicate an addressing error. 
The exceptions leave the CPU in the state existing be- 
fore attempting to execute the failing instruction (except 


for PUSH, POP, PUSHA, or POPA). Refer to the next 
section. on protected mode initialization for a discussion 


on exception 8. 


Protected Mode Initialization | 
To prepare the 80286 for protected mode, the LIDT in- 


struction is used to load the 24-bit interrupt table base 
and 16-bit limit for the protected mode interrupt table. 
This instruction can also set a base and limit for the in- 
terrupt vector table in real address mode. After reset,. 


the interrupt table base is initialized to OOO000(H) and 
its size set to OSFF(H). These values are compatible 
with iAPX 86, 88 software. LIDT should only be exe- 
cuted in preparation for protected mode. 


Shutdown 
Shutdown occurs when a severe error is detected that 


prevents further instruction processing by the CPU. 


Shutdown and halt are externally signalled via a halt bus 
operation. They can be distinguished by A; HIGH for halt 


and A, LOW for shutdown. In real address mode, shut- 


down can occur under two conditions: 


e Exceptions 8or13 happen and the IDT limit does not 
include the interrupt vector. 


®@ A CALL INT or PUSH instruction attempts to wrap 
around the stack segment when SP is not even. 


An NMI input can bring the CPU out of shutdown if the 


IDT limit is at least OOOF(H) and SP is greater than 
0005(H), otherwise shutdown can roy be exited via the 


RESET input. |. 
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Table 9. Real Address Mode Addressing Interrupts 


Interrupt table limit too small exception 78 INT vector is not within table limit _ eae, AES 


ESC with memory operand extend 
ing beyond offset FFFF(H) . 


Word memory reference with offset 
= FFFF(H) or an attempt to exe- 
cute past the end of asegment 


ADVANCE INFORRIATION 


, Return Address . 
Before Instruction? 


Related 
_ Instructions 


PROTECTED VIRTUAL ADDRESS MODE ~ 


The 80286 executes a fully upward- compatible superset 


of the 8086 instruction set in protected virtual address 


mode (protected mode). Protected mode also provides 
memory management and protection. mechanisms and 
associated instructions. 


The 80286 enters protected virtual address mode from | 
real address mode by setting the PE (Protection En- 
able) bit of the machine status word with the Load Ma- 
chine Status Word (LMSW) instruction. Protected mode 
offers extended physical and virtual memory address 
space, memory protection mechanisms, and new oper- 
ations to support operating systems and virtual memory. 


All registers, instructions, and addressing modes de- 
scribed in the iAPX 286/10 Base Architecture section of 
this Functional Description remain the same. Programs 
for the iAPX 86, 88, 186, and real address mode 80286 
canbe run in protected mode; however, embedded con- 
stants for Segment pers are e different. | 


Memory Size | 


The protected mode 80286 provides a 1 ee virtual 
address space per task mapped into a 16 megabyte 
physical address space defined by the address pins Ag3— 
Ao and BHE. The virtual address space may be larger 
than the physical address space since any use of an 
address that does not map to a physical memory loca- 
tion will cause a restartable exception. : | 


Memory Addressing 


As in real address mode, protected mode uses 32-bit 
pointers, consisting of 16-bit selector and offset com- 
ponents. The selector; however, specifies an index into 
amemory resident table rather than the upper 16-bits of 
a real memory address. The 24-bit base address of the 
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desired segment is obtained from the tables in memory. 
The 16-bit offset is added to the segment base address 
to form the physical address as shown in Figure 10. The 
tables are automatically referenced by the CPU when- 
ever a segment register is loaded with a selector. All 
iAPX 286 instructions which load a segment register will 
reference the memory based tables without additional 
software. The memory based tables contain 8 byte val- 
ues called descriptors. 


31 


POINTER |SELECTOR| OFFSET 


MEMORY 
OPERAND 
—_ SEGMENT 
SEGMENT DESCRIPTOR 

DESCRIPTOR TABLE 


PHYSICAL SEGMENT 


ADDRESS 
AODER 


SEGMENT BASE 
ADDRESS 


Figure 10. Protected Mode Memory Addressing 


DESCRIPTORS 


Descriptors define the use of memory. Special types of 
descriptors also define new functions for transfer of con- 
trol and task switching. The 80286 has segment de- 
scriptors for code, stack and data segments, and system 
control descriptors for special system data segments and 
control transfer operations. Descriptor accesses are 
performed as locked bus operations to assure descrip- 
tor integrity in multi-processor systems. 


CODE AND DATA SEGMENT DESCRIPTORS (S = 1) 


Besides segment base addresses, code and data de- 
scriptors contain other segment attributes including 
segment size (1 to 64K bytes), access rights (read only, 
read/write, execute only, and execute/read), and pres- 
ence in memory (for virtual memory systems) (See Fig- 
ure 11). Any segment usage violating a segment attribute 
indicated by the segment descriptor will prevent the 
memory cycle and cause an exception or interrupt. 


Code or Data Segment Descriptor 


INTEL RESERVED* 


| op || TYPE al BASE23-16 


ACCESS 
RIGHTS BYTE 


BASE 15-0 


Access Rights Byte Definition 


Bit 
Position 
7 


6-5 
4 


Present (P) 


Descriptor Privilege 
Level (DPL) 


> 


ai a 


| mame | rumen 


: Segment is mapped into physical memory. 
0 No mapping to physical memory exists, base and limit are not used. 


Segment privilege attribute used in privilege tests. 


0 

- 1 Code segment may be read. 
0 
1 


= Segment has not been accessed. 
= Segment selector has been loaded. into segment register or used 
by selector test instructions. 


Segment Descrip- S Code or Data (includes stacks) segment descriptor . 
S System Segment Descriptor or Gate Descriptor 
[ 3 Executable (E) —— Data segment descriptor type is: 
S 2 Expansion Direc- ED = 0. Expand up segment, offsets must be < limit. Data 
= tion (ED) ED = 1 Expand down segment; offsets must be > limit. Segment 
= Writeable (W) W=0 _ Data segment may not be written into. 2. cere 
O Weed Data segment may be written into. E'= 0) 
a Executable (E) E = Code Segment Descriptor type is: | lf 
re Conforming (C) C=1 Code segment may only be executed when CPL = DPL Code t 
oO. ~ and CPL remains unchanged. | pegmen 
1 Readable (R) R Code segment may not be read. 3 1) 
A 


Figure 11. Code and Data Segment Descriptor Formats 
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Code and data (including stack data) are stored in two 
types of segments: code segments and data segments. 
Both types are identified and defined by segment descrip- 
tors (S = 1). Code segments are identified by the execu- 
table (E) bit set to 1 in the descriptor access rights byte. The 
access rights byte of both code and data segment descrip- 
tor types have three fields in common: present (P) bit, 
Descriptor Privilege Level (DPL), and accessed (A) bit. 
If P = 0, any attempted use of this segment will cause 
a not-present exception. DPL specifies the privilege level 
of the segment descriptor. DPL controls when the descrip- 
tor. may be used by a task (refer to privilege discussion 
below). The A bit shows whether the segment has been 
previously accessed for usage profiling, a necessity for 
virtual memory systems. The CPU will always set this bit 
when accessing the descriptor. 


Data segments (S = 1, E=0) may be either read-only or 
read-write as controlled by the W bit of the access rights 
byte. Read-only (W=0) data segments may not be writ- 
ten into. Data segments may grow in two directions, as 
determined by the Expansion Direction (ED) bit: up- 
wards (ED=0) for data segments, and downwards 
(ED = 1) for a segment containing a stack. The limit field 
for a data segment descriptor is interpreted differently 
depending on the ED bit (see Figure 11). 


A code segment (S=1, E=1) may be execute-only 
or execute/read as determined by the Readable (R) 
bit. Code segments may never be written into and 
execute-only code segments (R=0) may not be read. 


A code segment may also have an attribute called 


conforming (C). A conforming code segment may be 
shared by programs that execute at different privi- 
lege levels. The DPL of a conforming code segment 
defines the range of privilege levels at which the 
segment may be executed (refer to privilege discus- 
sion below). The limit field identifies the last byte of 
a code segment. 


SYSTEM SEGMENT DESCRIPTORS (S = 0, TYPE = 1-3) 


In addition to code and data segment descriptors, the pro-_ 
tected mode 80286 defines System Segment Descriptors: 
These descriptors define special system data segments 
which contain a:table of descriptors (Local Descriptor 
Table Descriptor) or segments which contain the execu- 
tion state of a task (Task State Segment Descriptor). 


Figure 12 gives the formats for the special system data 
segment. descriptors. The descriptors contain a 24-bit 
base address of the segment and a 16-bit limit. The 
access byte defines the type of descriptor, its state and 
privilege level. The descriptor contents are valid and the 
segment is in physical memory if P = 1. If P = 0, the 
—seament is not valid. The DPL field is only used in Task 
State Segment descriptors and indicates the privilege 
level at which the descriptor may be used (see Privilege): 
Since the Local Descriptor Table descriptor may only be 
used by a special privileged instruction, the DPL field is 
not used. Bit 4 of the access byte is 0 to indicate that it 


Descriptor contents are not valid 
Descriptor contents are valid 
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~ System Segment Descriptor 


7 07 0 
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*Must be set to 0 for compatability with IAPX 386. 


System Segment Descriptor Fields 


TYPE 1 Available Task State Segment (TSS) 
2 Local Descriptor Table 
3 Busy Task State Segment (TSS). | 


DPL Descriptor Privilege Level 
24-bit | Base Address of special system data | 
number | segment in real memory 
LIMIT | 16-bit | Offset of last byte in segment 
number 


Figure 12. System Segment Descriptor Format 


is a system control descriptor. The type field specifies 
the descriptor type as indicated in Figure 12. 


GATE DESCRIPTORS (S = 0, TYPE = 4-7) 


Gates are used to control access to entry points within 
the target code segment. The gate descriptors are call 
gates, task gates, interrupt gates and trap gates. Gates 
provide a level of indirection between the source and 


- destination of the control transfer. This indirection allows. 


the CPU to automatically perform protection checks and 
control entry point of the destination. Call gates are used 


‘to change privilege levels (see Privilege), task gates are 


used to perform a task switch, and interrupt and trap 
gates are used to specify interrupt service routines. The 


. interrupt gate disables interrupts (resets IF) while the 


trap gate does not. 


Figure 13 shows the format of the gate descriptors. The 
descriptor contains a destination pointer that points to 
the descriptor of the target segment and the entry point 
offset. The destination selector in an interrupt gate, trap 
gate, and call gate must refer to a code segment de- 
scriptor. These gate descriptors contain the entry point 
to prevent a program from constructing and using an 
illegal entry point. Task gates may only refer to a task 
state segment. Since task gates invoke a task switch, 
the destination offset is not used in the task gate. 


Exception 13 is generated when the gate is used if a 
destination selector does not refer to the correct de- 
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Gate Descriptor 


INTEL RESERVED* 


WORD 
Phere fol re, ex] Ceti 


DESTINATION SELECTOR}s.2 


DESTINATION OFFSET 5-5 


15 87 


*Must be set to 0 for compatability with IAPX 386. (X is don’t care) 


Gate Descriptor Fields 


Name __{ Value | __Deseription _ 


—Call Gate 
—Task Gate 

—Interrupt Gate 
—Trap Gate 


—Descriptor Contents are not 
valid 

—Descriptor Contents are 

valid 


Descriptor Privilege Level. 


? WORD Number of words to copy 
COUNT 0-31 


from callers stack to called 
procedures stack. Only used 
‘DESTINATION 
SELECTOR 


with call gate. 


Selector to the target code 
segment (Call, Interrupt or 
Trap Gate) 

Selector to the target task 
state segment (Task Gate) 


DESTINATION | 16-bit | Entry point within the target 
OFFSET offset | code segment 


Figure 13. Gate Descriptor Format 


16-bit 
selector 


scriptor type. The word count field is used in the call gate 
descriptor to indicate the number of parameters (0-31 
words) to be automatically copied from the caller's stack 
to the stack of the called routine when a control transfer 
changes privilege levels. The word count field is not used 
by any other gate descriptor. 


The access byte format is the same for all gate descrip- 
tors. P = 1 indicates that the gate contents are valid. P 
= Q indicates the contents are not valid and causes ex- 


PROGRAM VISIBLE - 


SEGMENT SELECTORS 
cs 
DS 
SS 


ES 
15 i) a7 . 40.39 


SEGMENT REGISTERS 
(LOADED BY PROGRAM) | 
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ACCESS 
RIGHTS SEGMENT PHYSICAL BASE ADDRESS 


’ SEGMENT DESCRIPTOR CACHE REGISTERS 
(AUTOMATICALLY LOADED BY CPU) | 


ADVANCE INFORMATION 


ception 11 if referenced. DPL is the descriptor privilege 
level and specifies when this descriptor may be used by 
a task (refer to privilege discussion below). Bit 4 must 
equal 0 to indicate a system control descriptor. The type 
field specifies the descriptor type as indicated in Figure 
13. 


SEGMENT DESCRIPTOR CACHE REGISTERS 


A segment descriptor cache register is assigned to each 
of the four segment registers (CS, SS, DS, ES). Segment 
descriptors are automatically loaded (cached) into a seg- 
ment descriptor cache register (Figure 14) whenever the 
associated segment register is loaded with a selector 
Only segment descriptors may be loaded into segment 
descriptor cache registers. Once loaded, all references 
to that segment of memory use the cached descriptor 
information instead of reaccessing the descriptor. The 
descriptor cache registers are not visible to programs. 
No instructions exist to store their contents. They only 
Change when a segment register is loaded. 


SELECTOR FIELDS 


A protected mode selector has three fields: descriptor 
entry index, local or global descriptor table indicator (T]), 
and selector privilege (RPL) as shown in Figure 15. These | 
fields select one of two memory based tables of descrip- 
tors, select the appropriate table entry and allow high- 
speed testing of the selector’s privilege attribute (refer 
to privilege discussion below). 


SELECTOR 


[Pe 


15 3210 
FUNCTION 


REQUESTED 
PRIVILEGE 
LEVEL 

(RPL) 


INDICATES SELECTOR PRIVILEGE 
LEVEL DESIRED 


TABLE Tl = 0 USE GLOBAL DESCRIPTOR TABLE 

INDICATOR (GDT) 

(Tl) Tl = 1 USE LOCAL DESCRIPTOR TABLE 
(LDT) 


ass | imoex | SELECT DESCRIPTOR ENTRY IN TABLE 


Figure 15. Selector Fields 


PROGRAM INVISIBLE ] 


SEGMENT SIZE 


16 15 0 


Figure 14. Descriptor Cache Registers 
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LOCAL AND GLOBAL DESCRIPTOR TABLES 


‘Two tables of descriptors, called descriptor tables, con- 
tain all descriptors accessible by a task at any given time. 
A descriptor table is a linear array of up to 8192 descrip- 
tors. The upper 13 bits of the selector value are an index 
into a descriptor table. Each table has a 24-bit base reg- 
ister to locate the descriptor table in physical memory 
and a 16-bit limit register that confine descriptor access 
to the defined limits of the table as shown in Figure 16. A 
- restartable exception (13) will occur if an attempt is made 
to reference a descriptor outside the table limits. 


One table, called the Global Descriptor Table (GDT), 
contains descriptors available to all tasks. The other ta- 


ble, called the Local Descriptor Table (LDT), contains © 


descriptors that can be private to a task. Each task may 
have its own private LDT. The GDT may contain all de- 
scriptor types except interrupt and trap descriptors. The 


LDT may contain only segment, task gate, and call gate © 


descriptors. A segment cannot be accessed by a task if 
its segment descriptor does not exist in either descriptor 
table at the time of access. | | 


_ [~ @pT BASE 
24-BIT PHYS AD. 
15 0 
LbT es 
DESCR. 
SELECTOR 


LOT LIMIT 
LDT BASE | . 
24-BiTPHySaD.| | [ .. 
PROGRAM INVISIBLE | 
(AUTOMATICALLY | 
LOADED l 


_ FROM LDT DESCR. | 
WITHIN GDT) 


Qe ee eee 


CURRENT 
LOT 


INCREASING 


MEMORY 
ADDRESSES 


Figure 16. Local and Global Descriptor 
Table Definition — 


The LGDT and LLDT instructions load the base and limit 
of the global and local descriptor tables. LGDT and LLDT 
are privileged, i.e. they may only be executed by trusted: 
programs operating at level 0. The LGDT instruction loads 


a six byte field containing the 16-bit table limit and 24-bit . 


physical base address of the Global Descriptor Table as 


shown in Figure 17. The LDT instruction loads a selector. . 


which refers to a Local Descriptor Table descriptor con- 


taining the base address and limit for an LDT, as shown | 


in Figure 12. 


C=18 
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s : Z 
.! 


INTEL RESERVED BASE23-16 
BASE s5_9 


. LIMIT15-0 . 
15 8 7 0 


*Must be set to 0 for compatability with iAPX 386. 


Figure 17. Global Descriptor Table and Interrupt 
Descriptor Table Data Type 


INTERRUPT DESCRIPTOR TABLE 


The protected mode 80286 has a third descriptor table, 
called the Interrupt Descriptor Table (IDT) (see Figure 
18), used to define up to 256 interrupts. It may contain 
only task gates, interrupt gates and trap gates. The IDT. 
(Interrupt Descriptor Table) has a 24-bit physical base 
and 16-bit limit register in the CPU. The privileged LIDT 
instruction loads these registers with a six byte value of 
identical form to that of the LGDT instruction (see Figure 
17 and Protected Mode Initialization). 


™ . MEMORY WW 
GATE FOR 
INTERRUPT #n 
GATE FOR 
INTERRUPT #n-1 


INTERRUPT 
DESCRIPTOR 
TABLE | 
(IDT) 


; GATE FOR 
INTERRUPT #1 
; GATE FOR 
INTERRUPT #0 
IDT BASE 


IDT LIMIT 


——> 
INCREASING - 


MEMORY 
ADDRESSES 


Figure 18. Interrupt Descriptor Table Definition 


References to IDT entries are made via INT instruc- 
tions, external interrupt vectors,.or exceptions. The IDT 
must be at least 256 bytes in size to allocate space for 
all reserved interrupts. 


Privilege 


The 80286 has a four-level hierarchical privilege system 
which controls the use of privileged instructions and ac- 
cess to descriptors (and their associated segments) within 
a task. Four-level privilege, as shown in Figure 19, is an 
extension of the user/supervisor mode commonly found 
in minicomputers. The privilege levels are numbered 0 


_ through 3. Level 0 is the most privileged level. Privilege 
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APPLICATIONS 
CPU : 
ENFORCED 
SOFTWARE 


"INTERFACES OS EXTENSIONS 


HIGH SPEED 
OPERATING , 
SYSTEM 
INTERFACE 


NOTE: PL BECOMES NUMERICALLY LOWER AS PRIVILEGE LEVEL 
INCREASES 


Figure 19. Hierarchical Privilege Levels 


levels provide protection within a-task. (Tasks are isolated 
by. providing private LDT’s for each task.) Operating 
system routines, interrupt handlers, and other system soft- 
ware can be included: and protected within the virtual 
address space of each task using the four levels of privi- 
lege. Each task in the system has a separate stack for 
each of its privilege levels. 


Tasks, descriptors, and selectors have a privilege level 
attribute that determines whether the descriptor may be 
used. Task privilege effects the use of instructions and 
descriptors. Descriptor and selector privilege only effect 
access to the descriptor. 


TASK PRIVILEGE 


A task always executes at one of the four privilege 
levels. The task privilege level at any specific instant 
is called the Current Privilege Level (CPL) and is 
defined by the lower two bits of the CS register. CPL 
cannot change during execution in a single code seg- 
ment. A task’s CPL may only be changed by control 
transfers through gate descriptors to a new code 
segment (See Control Transfer). Tasks begin executing 
at the CPL value specified by the code segment selec- 
tor within TSS when the task is initiated via a task 
switch operation (See Figure 20). A task executing at 


Level 0 can access all data segments defined in the © 


_GDT and the task’s LDT and is considered the most 
trusted level. A task executing a Level 3 has the most 
restricted access to data and is considered the least 
trusted level. 


DESCRIPTOR PRIVILEGE 
Descriptor privilege is specified by the Descriptor Privi- 
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lege Level (DPL) field of the descriptor access byte. DPL 
specifies the least trusted task privilege level (CPL) at 
which a task may access the descriptor. Descriptors with 
DPL = 0 are the most protected. Only tasks executing 
at privilege level 0 (CPL = 0) may access them. De- 
scriptors with DPL = 3 are the least protected (i.e. have 
the leastrestricted access) since tasks can access them 
when CPL = 0,1, 2, or3. This rule applies to all descrip- 
tors, except LDT peed 


SELECTOR PRIVILEGE 


Selector privilege is specified by the Requested Privi- 
lege Level (RPL) field in the least significant two bits of a 
selector. Selector RPL may establish a less trusted priv- 
ilege level than the current privilege level for the use of a 
selector. This level is called the task’s effective privilege 
level (EPL). RPL can only reduce the scope of a task’s 
access to:data with this selector. A task’s effective privi- 
lege is the numeric maximum of RPL and CPL. A selec- 
tor with RPL = 0 imposes no additional restriction on its 
use while a selector with RPL = 3 can only refer to seg- 
ments at privilege Level 3 regardless of the task’s CPL. 
RPL is generally used to verify that pointer parameters 
passed to a more trusted procedure are not allowed to. 
use data at a more privileged level than the caller (refer 
to pointer testing instructions). 


Descriptor Access and Privilege Validation 


Determining the ability of a task to access a segment 
involves the type of segment to be accessed, the in- 
struction used, the type of descriptor used and CPL, 
RPL, and DPL. The two basic types of segment ac- 
cesses are control transfer (selectors loaded into CS) 
and data (selectors loaded into DS, ES or SS). 


DATA SEGMENT ACCESS 


Instructions that load selectors into DS and ES must 
refer to a data segment descriptor or readable code seg- 
ment descriptor. The CPL of the task and the RPL of the 


selector must be the same as or more privileged (nu- 


merically equal to or lower than) than the descriptor DPL. 
In general, a task can only access data segments at the 


-same or less privileged levels than the CPL or RPL 


(whichever is numerically higher) to prevent a program 


from accessing data it cannot be trusted to use. 


An exception to the rule is a readable conforming code 
segment. This type of code segment can be read from 
any privilege level. 


If the privilege checks fail (e.g. DPL is numerically less 
than the maximum of CPL and RPL) or an incorrect type 
of descriptor is referenced (e.g. gate descriptor or exe- 
cute only code segment) exception 13 occurs. If the seg- 
ment is not present, exception 11 is generated. 
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Instructions that load selectors into SS must refer to data 


segment descriptors for writable data segments. The 
descriptor privilege (DPL) and RPL must equal CPL. All 
other descriptor types or a privilege level violation will 
cause exception 13. A not present fault causes excep- 
tion 12. 


CONTROL TRANSFER 


Four types of control transfer can occur when a selector 
i3 loaded into CS by a control transfer operation (see 
Table 10). Each transfer type can only occur if the oper- 
ation which loaded the selector references the correct 
descriptor type. Any violation of these descriptor usage 
rules (e.g. JMP through a call gate or RET to a Task State 
¢ egment) will cause exception 13. 
The ability to reference a descriptor for control transfer 
it; also subject to rules of privilege. A CALL or JUMP 
instruction may only reference a code segment descrip- 
_tor with DPL equal to the task CPL or a conforming seg- 
ment with DPL of equal or greater privilege than CPL. 
The RPL of the selector used to reference the code de- 
scriptor must have as much privilege as CPL. 


RET and IRET instructions may only reference code 
segment descriptors with descriptor privilege equal to or 
less privileged than the task CPL. The selector loaded 
into CS is the return address from the stack. After the 
return, the selector RPL is the task’s new CPL. If CPL 
changes, the old stack pointer is popped after the return 
address. 


When a JMP or CALL references a Task State Segment 
descriptor, the descriptor DPL must be the same or less 


privileged than the task’s CPL. Reference to a valid Task 
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State Segment descriptor causes a task switch (see Task 
Switch Operation). Reference to a Task State Segment 
descriptor at a more privileged level than the task’s CPL 
generates exception 13. 


When an instruction or interrupt references a gate de- 
scriptor, the gate DPL must have the same or less privi- 
lege than the task CPL. If DPL is at a more privileged 
level than CPL, exception 13 occurs. If the destination 
selector contained in the gate references a code seg- 
ment descriptor, the code segment descriptor DPL must 
be the same or more privileged than the task CPL. If not, 
Exception 13 is issued. After the control transfer, the 
code segment descriptors DPL is the task’s new CPL. If 
the destination selector in the gate references a task 
state segment, a task switch is automatically performed 
(see Task Switch Operation). 


The privilege rules on control transfer require: 


—JMP or CALL direct to a code segment (code seg- 
ment descriptor) can only be to aconforming segment 
with DPL of equal or greater privilege than CPL ora 
non-conforming segment at the same privilege level. 


—interrupts within the task or calls that may change 
privilege levels, can only transfer control through a 
gate at the same or a less privileged level than CPL to 

~acode segment at the same or more privileged level 
than CPL. _ 


—return instructions that don't switch tasks can only re- 
~ turn control to-a code segment at the same or less 
privileged level. : 


—task switch can be performed by a call, jump or inter- 
rupt which references either a task gate or task state 
segment at the same or less privileged level. 


Table 10. Descriptor Types Used for Control Transfer 


‘ Descriptor Descriptor 


JMP, CALL, RET, IRET* Code Segment GDT/LDT 


Control Transfer Types 


Intersegment within the same privilege level 


Intersegment to the same or higher privilege level Interrupt | CALL : Call Gate GDT/LDT 


Trap or IDT 
T 


within task may change CPL. Interrupt Instruction, 


Exception, External Interrupt 


Interrupt Gate 


Intersegment to a lower privilege level (changes task CPL) | RET, IRET* Code Segment GDT/LDT 


CALL, JMP Task State G 
Segment 
Interrupt Instruction, 
*NT (Nested Task bit of flag word):-= 0 i 


CALL, JMP Task Gate GDT/LDT 
Exception, External 
**NT (Nested Task bit of flag word) = 1 


Task Switch © 


D 
IRET** 
Task Gate ID 
Interrupt ; 
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PRIVILEGE LEVEL CHANGES 


Any control transfer that changes CPL within the task, 
causes a change of stacks as part of the operation. Initial 
values of SS:SP for privilege levels 0, 1, and 2 are kept 
in the task state segment (refer to Task Switch Opera- 
tion). During a JMP or CALL control transfer, the new 
stack pointer is loaded into the SS and SP registers and 
the previous stack pointer is pushed onto the new stack. 


When returning to the original privilege level, its stack is 
restored as part of the RET or IRET instruction opera- 


tion. For subroutine calls that pass parameters on the — 


stack and cross privilege levels, a fixed number of words, 
as specified in the gate, are copied from the previous 
stack to the current stack. The inter-segment RET in- 
struction with a stack adjustment value will correctly re- 
store the previous stack pointer upon return. 


Protection 


The 80286 includes mechanisms to protect critical in- 
structions that affect the CPU execution state (e.g. HLT) 
and code or data segments from improper usage. These 
protection mechanisms are grouped into three forms: 


Restricted usage of segments (e.g. no write allowed . 


to read-only data segments). The only segments 
available for use are defined by descriptors in the Lo- 
cal Descriptor Table (LDT) and Global Descriptor Ta- 
ble (GDT). 


Restricted access to segments via the rules of privi- 
lege and descriptor usage. | 


Privileged instructions or operations that may only be 
executed at certain privilege levels as determined by 


the CPL and I/O Privilege Level (IOPL). The IOPL is 
defined by bits 14 and 13 of the flag word. 


These checks are performed for all instructions and can 
be split into three categories: segment load checks (Ta- 
ble 11), operand reference checks (Table 12), and privi- 
leged instruction checks (Table 13). Any violation of the 
rules shown will result in an exception. A not-present 
exception related to the stack segment causes excep- 
tion 12. © | : 


The IRET and POPF instructions do not perform some of 
their defined functions if CPL is not of sufficient privilege 
(numerically small enough). Precisely these are: 

® The IF bit is not changed if CPL > IOPL. 

® The IOPL field of the flag word is not changed if CPL > 0. 
No exceptions or other indication are given when these 
conditions occur. i 
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Table 11 
Segment Register Load Checks 


Exception 
Number 
Descriptor table limit exceeded 


Segment descriptor not-present 11 0r12 
Privilege rules violated 


Error Description 


Invalid descriptor/segment type seg- 
ment register load: 
—Read only data segment load to 
SS 
—Special control descriptor load to 
DS, ES, SS 13 
—Execute only segment load to 
DS,ES,SS 
—Data segment load to CS 
—Read/Execute code segment 
_ loadtoSS 


Table 12 Operand Reference Checks 


ae Exception 
Error Description 


Write into code segment 13 
Read from execute-only code 
segment 

Write to read-only data segment 
Segment limit exceeded' 


13 
13 
120r13 


Note 1: Carry outin offset calculations is ignored. 


Table 13. Privileged Instruction Checks 


‘nig Exception | 
Error Description | 


CPL # 0 when executing the following ; i 
13 


instructions: 
~ LIDT, LLDT, LGDT, LTR, LMSW, 
CTS, HLT 


CPL > IOPL when executing the fol- 
lowing instructions: 

INS, IN, OUTS, OUT, STI, CLI, 
LOCK 


EXCEPTIONS 


The 80286 detects several types of exceptions and inter- 
rupts, in protected mode (see Table 14). Most are restart- 
able after the exceptional condition is removed. Interrupt 
handlers for most exceptions can read an error code, 
pushed on the stack after the return address, that identi- 
fies the selector involved (0 if none). The return address 
normally points to the failing instruction, including all 
leading prefixes. For a processor extension segment over- 
run exception, the. return address will not point at the 
ESC instruction that caused the exception; however, the 
processor extension registers may contain the address 
of the failing instruction. 
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=e 14. Protected Mode Exceptions 


Interrupt 


Vector Function 


Double exception detected 


Processor extension segment overrun 
Invalid task state segment 

Segment not present 

Stack segment overrun or stack scomen not present 
General protection 


Return 
Address 
At Failing 
Instruction? 


Error — 
Code 
on Stack? | 


Always 
Restart- 
able? 


NOTE 1: When a PUSHA or POPA instruction attempts to wrap around the stack segment, the machine state after the 
exception will not be restartable because stack segment wrap around is not permitted. This condition is identified 
by the value of the saved SP being eigher 0000(H), 0001 (H), FFFE(H), or FFFF(H). 


NOTE 2: These exceptions indicate a violation to se rules or usage rules has occurred. Restart is generally not 


attempted under those conditions. 


These exceptions indicate a violation to privilege rules 
or usage rules has occurred. Restart is generally not. 
attempted under those conditions. 


All these checks are performed for all instructions and 
can be split into three categories: segment load checks 
(Table 11), operand reference checks (Table 12), and 
privileged instruction checks (Table 13). Any violation 
of the rules shown will. result in an exception. A 
-not-present exception causes exception 11 or 12 and 
is restartable. a 


Special Operations 

_ TASK SWITCH OPERATION 

The 80286 provides a built-in task switch operation which 
saves the entire 80286 execution state (registers, ad- 
dress space, and a link to the previous task), loads a 
new execution state, and commences execution in the 
‘new task. Like gates, the task switch operation is in- 
voked by executing an inter-segment JMP or CALL in- 
struction which refers to a Task State Segment (TSS) or 
task gate descriptor in the GDT or LDT. An INT ninstruc- 
tion, exception, or external interrupt may also invoke the 


task switch operation by selecting a task gate descriptor 
in the associated IDT descriptor entry. 


The TSS descriptor points at a segment (see Figure 20) 
containing the entire 80286 execution state while a 
task gate descriptor contains a TSS selector. The limit 
field of the descriptor must be >002B(H). 


Each task must have a TSS associated with it. The cur- 
rent TSS is identified by a special register in the 80286 
called the Task Register (TR). This register contains a 
selector referring to the task state segment descriptor 
that defines the current TSS. A hidden base and limit 
register associated with TR are loaded whenever TR is 
loaded with a new selector. 


The IRET instruction is used to return control to the 


task that called the current task or was interrupted. 
Bit 14 in the flag egister is called the Nested Task (NT) 
bit. It controls the function of the IRET instruction. If 
NT = 0, the IRET instruction performs the regular cur- 
rent task return by popping values off the stack; when 


NT = 1, IRET performs a task switch Spe atibh back 
to the previous task. 


When a CALL, JMP, or INT instruction initiates a task 
switch, the old and new TSS will be marked busy and 
the back link field of the new TSS set to the old TSS 
selector. The NT bit of the new task is set by CALL or 
INT initiated task switches. An interrupt that does not 
cause a task switch will clear NT. NT may also be ee 
or cleared by POPF or IRET instructions. . 


The task state segment is marked busy by changing 
the descriptor type field from Type 1 to Type 3. Use 
of a selector that references a busy task state segment 
causes Exception 13. 


PROCESSOR EXTENSION CONTEXT SWITCHING 


The context of a processor extension (such as the 80287 
numerics processor) is not changed by the task switch 
operation. A processor extension context need only be 


changed when a different task attempts to use the pro- 


cessor extension (which still contains the context of a 
previous task). The 80286 detects the first use of a pro- 
cessor extension after a task switch by causing the pro- 


cessor extension not present exception (7). The interrupt 


handler may then decide whether a context enange |: is” 
necessary. : 


Whenever the 80286 switches tasks, it sets the Task 
Switched (TS) bit of the MSW. TS indicates that a pro- 
cessor extension context may belong to a different task 
than the current one. The processor extension not pres- 
ent exception (7) will occur when attempting to execute 
an ESC or WAIT instruction if TS = 1 anda pies! 
extension is present (MP = 1 in MSW). 


POINTER TESTING INSTRUCTIONS 


The iAPX 286 provides several instructions to speed 
pointer testing and consistency checks for maintain- 
ing system integrity (see Table 15). These instruc- 
tions use the memory management hardware to 
verify that a selector value refers to an appropriate 
segment without risking an exception. A condition: 
flag (ZF) indicates whether use of the selector or 
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segment will cause an exception. 
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INTEL RESERV 
ae TYPE | DESCRIPTION 
TASK REGISTER 

ever et G ove BASE23-16 AN AVAILABLE TASK STATE 
—pm SEGMENT SEGMENT. MAY BE USED AS 

HeseRIniod THE DESTINATION OF A TASK 

BASE15-0 : SWITCH OPERATION. 
| ) A BUSY TASK STATE SEGMENT. 
i a i —LIMITH5-0 CANNOT BE USED AS THE 
DESTINATION OF A TASK 


SWITCH. 


15 


TASK LDT SELECTOR 


DS SELECTOR DESCRIPTION 
SS SELECTOR BASE AND LIMIT FIELDS ARE VALID 


SEGMENT IS NOT PRESENT IN 


CS SELECTOR MEMORY, BASE AND LIMIT ARE NOT 
DEFINED : 
ES SELECTOR 


CURRENT 
TASK 
STATE 


TASK 
STATE 
SEGMENT 


STACKS 


_ Figure 20. Task State Segment and TSS Registers 
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Table 15. 80286 Pointer Test Instructions 


Adjust Requested Privi- 
lege Level: adjusts the RPL 
of the selector to the nu- 
meric maximum of current 
selector RPL value and the 
RPL value in the register. 
Set zero flag if selector RPL 
-was Changed by ARPL. 


VERify for Read: sets the 
zero flag if the segment re- 
ferred to by the selector can 
be read. | 


'VERify for Write: sets the 
zero flag if the segment re- 
ferred to by the selector can 
be written. — 


Load Segment Limit: reads 
the segment limit into the 
register if privilege rules and 
descriptor type allow. Set 
zero flag if successful. 


Load Access Rights: reads 
the descriptor access rights 
byte into the register if priv- 
ilege rules allow. Set zero 
flag if successful. 


Selector, 
Register 


Selector. 


Selector 


Register, 
Selector 


Register, 
Selector 


DOUBLE FAULT AND SHUTDOWN 


lf two separate exceptions are detected during a single 
instruction execution, the 80286 performs the double 
fault exception (8). If an exception occurs during pro- 
cessing of the double fault exception, the 82086 will en- 
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To force the 80286 CPU registers to match the initial 
protected mode state assumed by software, execute 
a JMP instruction with a selector referring to the 
initial TSS used in the system. This will load the task 
register, local descriptor table register, segment 
registers and initial general register state. The TR 
should point at a valid TSS since any task switch 
operation involves saving the current task state. 


SYSTEM INTERFACE 


The 80286 system interface appears in two forms: a 
local bus and a system bus. The local bus consists of 
address, data, status, and control signals at the pins of 
the CPU. A system bus is any buffered version of the 
local bus. A system bus may also differ from the local 
bus in terms of coding of status and control lines and/or 
timing and loading of signals. The iAPX 286 family in- 
cludes several devices to generate standard system 
buses such as the IEEE 796 standard Multibus™. 


_ Bus Interface Signals and Timing 


The iAPX 286 microsystem local bus interfaces the 80286 


- tolocal memory and I/O components. The interface has 


24 address lines, 16 data lines, and 8 status and control 


signals. 


~~ The 80286 CPU, 82284 clock generator, 82288 bus 


ter shutdown. During shutdown no further instructions | 


or exceptions are processed. Either NMI (CPU remains 
in protected mode) or RESET (CPU exits protected mode) 
can force the 80286 out of shutdown. Shutdown is exter- 
nally signalled via a HALT bus operation with A; HIGH. 


PROTECTED MODE INITIALIZATION 


The 80286 initially executes in real address mode 
after RESET. To allow initialization code to be placed 
_at the top of physical memory, Apo3.29 will be HIGH 
_when the 80286 performs memory references 
relative to the CS register until CS is changed. Ao3.00 
will be zero for references to the DS, ES, or SS 
segments. Changing CS in real address mode will 
‘force Az3.29 LOW whenever CS is used again. The 
initial CS:IP value of FOO0:FFFO provides 64K bytes 
of code space for initialization code without chang- 
ing CS. 


Protected mode operation requires several regis- 
ters to be initialized. The GDT and IDT base regis- 
ters must refer to a valid GDT and IDT. After 
executing the LMSW instruction to set PE, the 80286 
must immediately execute an intra-segment JMP 
instruction to clear the instruction queue of instruc- 
tions decoded in real address mode. 


controller, 82289 bus arbiter, 8286/7 transceivers, 
and 8282/3 latches provide a buffered and decoded 
system bus interface.The 82284 generates the 


-system clock and synchronizes READY and RESET. 


The 82288 converts bus operation status encoded 
by the 80286 into command and bus control signals. 
The 82289 bus arbiter generates Multibus bus 
arbitration signals. These components can provide 
the timing and electrical power drive levels required 
for most system bus interfaces including the Multibus. 


-Physical Memory and I/O Interface 
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A maximum of 16 megabytes of physical memory can 
be addressed in protected mode. One megabyte can be 
addressed in real address mode. Memory is accessible 
as bytes or words. Words consist of any two consecutive 
bytes addressed with the least significant byte stored in 
the lowest address. 


Byte transfers occur on either half of the 16-bit local data 
bus. Even bytes are accessed over D7_) while odd bytes 
are transferred over Di5_3. Even-addressed words are 
transferred over Dj5_9 in one bus cycle, while odd-ad- 
dressed words require two bus operations. The first 
transfers data on Dj5_g8, and the second transfers data 
on D7_9. Both byte data transfers occur automatically, 
transparent to software. . 


Two bus signals, Ap and BHE, control transfers over the 
lower and upper halves of the data bus. Even address 
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byte transfers are indicated by Ag LOW and BHE HIGH. 
Odd address byte transfers are indicated by Aj HIGH 
and BHE LOW. Both Ag and BHE are LOW for even ad- 
dress word transfers. 


The I/O address space contains 64K addresses in both 
modes. The I/O space is accessible as either bytes or 
words, as is memory. Byte wide peripheral devices may 
be attached to either the upper or lower byte of the data 
bus. Byte-wide I/O devices attached to the upper data 
byte (D15_3) are accessed with odd I/O addresses. De- 
vices on the lower data byte are accessed with even I/O 
addresses. An interrupt controller such as Intel’s 8259A 
must be connected to the lower data byte (D7_9) for proper 
return of the interrupt vector. 


Bus Operation 


The 80286 uses a double frequency system clock (CLK 
input) to control bus timing. All signals on the local bus 
are measured relative to the system CLK input. The CPU 
divides the system clock by 2 to produce the internal 
processor clock, which determines bus state. Each pro- 
cessor clock is composed of two system clock cycles 
named phase 1 and phase 2. The 82284 clock generator 
output (PCLK) identifies the next phase of the processor 
clock. (See Figure 21.) 


ONE PROCESSOR CLOCK CYCLE 


ONE BUS T STATE 
PHASE 1 PHASE 2 
OF PROCESSOR —>1— OF PROCESSOR 


CLOCK CYCLE CLOCK CYCLE 


ONE SYSTEM 
CLK CYCLE 


PCLK VY \ VY 


Figure 21. System and Processor 
Clock Relationships 


Six types of bus operations are supported; memory read, 
memory write, I/O read, I/O write, interrupt acknowl- 
edge, and halt/shutdown. Data can be transferred at a 
maximum rate of one word per two processor clock cycles. 


The iAPX 286 bus has three basic states: idle (T;), send 
status (Ts), and perform command (T,). The 80286 CPU 
also has a fourth local bus state called hold (T,). Ty, in- 
dicates that the 80286 has surrendered control of the 
local bus to another bus master in response to a HOLD 
request. 


Each bus state is one processor clock long. Figure 22 
shows the four 80286 local bus states and allowed 
transitions. 


iIAPX 286/10 
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READY e NEW CYCLE 


Figure 22. 80286 Bus States 


Bus States 


The idle (T,) state indicates that no data transfers are 
in progress or requested. The first active state Tg is 
signaled by status line S1 or SO going LOW and identi- 
fying phase 1 of the processor clock. During Ts, the 
command encoding, the address, and data (for a write 
operation) are available on the 80286 output pins. The 
82288 bus controler decodes the status signals and 
generates Multibus compatible read/write command 
and local transceiver control signals. 


After Ts, the perform command (T,) state is entered. 
Memory or |/O devices respond to the bus operation 
during T¢, either transferring read data to the CPU or 
accepting write data. T, states may be repeated as 
often as necessary to assure sufficient time for the 
memory or I/O device to respond. The READY signal 
determines whether T, is repeated. A repeated T> 
state is called a wait state. 


During hold (T,,), the 80286 will float all address, data, 
and status output pins enabling another bus master 
to use the local bus. The 80286 HOLD input signal 
is used to place the 80286 into the T,, state. The 
80286 HLDA output signal indicates that the CPU has 
entered T,. | 


Pipelined Addressing 

The 80286 uses a local bus interface with pipelined 
timing to allow as much time as possible for data 
access. Pipelined timing allows a new bus operation 
to be initiated every two processor cycles, while allow- 
ing each individual bus operation to last for three 
processor cycles. | 


The timing of the address outputs is pipelined such that 
the address of the next bus operation becomes available 
during the current bus operation. Or in other words, the 
first clock of the next bus operation is overlapped with 
the last clock of the current bus operation. Therefore, 
address decode and routing logic can operate in ad- 
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~<________— READ BUS CYCLE N a ee ge READ BUS CYCLE N + 1 


PROC CLK 


PIPELINING: VALID ADDRESS (N + 1) AVAILABLE IN LAST PHASE OF BUS CYCLE (N). 


Figure 23. 
i 
vance of the next bus operation. External address latches 
may hold the address stable for the entire bus operation, 
and provide additional AC and DC buffering. 


The 80286 does not maintain the address of the current 


bus operation during all T, states. Instead, the address 
for the next bus operation may be emitted during phase 


2 of any T,. The address remains valid during phase 1. 


of the first T, to guarantee hold time, relative to ALE, for 
the address | latch inputs. 


Bus Control Signals 


The 82288 bus controller provides control signals; ad- 
dress latch enable (ALE), Read/Write commands, data 


transmit/receive (DT/R), and data enable (DEN) that. 


control the address latches, data transceivers, write en- 
able, and output enable for memory and |/O systems. 


The Address Latch Enable (ALE) output determines when 
the address may be latched. ALE provides at least one 
system CLK period of address hold time from the end of 
the previous bus operation until the address for the next 
bus operation appears at the latch outputs. This address 


hold time is required to support Multibus® ae common 


memory systems. 


The data bus transceivers are controlled by 82288 out- 
puts Data Enable (DEN) and Data Transmit/Receive (DT/ 

R). DEN enables the data transceivers; while DT/R con- 

trols transceiver direction. DEN and DT/R are timed to 
prevent bus contention between the bus master, data 
bus transceivers, and system data bus tranceivers. 


_—_ 


VALID READ VALID READ 
DATA (N) . . aif DATA (N +1) 


Basic Bus Cycle 


Command Timing Controls 


Two system timing customization options, command ex- 
tension and command delay, are piovices on the iAPX 
286 local bus. : 


Command extension allows additional time for external 
devices to respond to a command and is analogous to 
inserting wait states on the 8086. External logic can con- 
trol the duration of any bus operation such that the op- 
eration is only as long as necessary. The READY input 
signal can extend any bus operation for as long as 
necessary. 


Command delay allows an increase of address or write 
data setup time to system bus command active for any 
bus operation by delaying when the system bus com- 
mand becomes active. Command delay is controlled by 
the 82288 CMDLY input. After Ts, the bus controller 
samples CMDLY at each failing edge of CLK. If CMDLY 
is HIGH, the 82288 will not activate the command signal. 
When CMDLY is LOW, the 82288 will activate the com- 
mand signal. After the command becomes active, the , 
CMDLY input is not sampled. 


When a eorinana is delayed, the available response 
time from command active to.return read data or accept 
write data is less. To customize system bus timing; an 
address decoder can determine which bus operations | 
require delaying the command. The CMDLY input does 
not affect the timing of ALE, DEN, or DT/R. 
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rR ee 
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Figure 24. CMDLY Controls the Leading Edge of Command Signal. 


Figure 24 illustrates four uses of CMDLY. Example 1 
shows delaying the read command two system CLKs for 
cycle N-1 and no delay for cycle N, and example 2 shows 
delaying the read command one system CLK for cycle 
N-1 and one system CLK delay for cycle N. 


Bus Cycle Termination | 


At maximum transfer rates, the iAPX 286 bus alternates 
between the status and command states. The bus status 
signals become inactive after T, so that they may cor- 
rectly signal the start of the next bus operation after the 
completion of the current cycle. No external indication of 
T, exists on the iAPX 286 local bus. The bus master and 
bus controller enter T, directly after T, and continue ex- 
ecuting T, cycles until terminated by READY. | 


READY Operation 


The current bus master and 82288 bus controller ter- 
minate each bus operation simultaneously to achieve 
maximum bus operation bandwidth. Both are informed 
in advance by READY active (open-collector output 
from 82284) which identifies the, last Tc. cycle of the 
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current bus operation. The bus master and bus con- 
troller must see the same sense of the READY signal, 
thereby requiring READY be synchronous to the 
system clock. 


Synchronous Ready 


The 82284 clock generator provides READY synchro- 
nization from both synchronous and asynchronous — 
sources (see Figure 25). The synchronous ready input 
(SRDY) of the clock generator is sampled with the falling 
edge of CLK at the end of phase 1 of each T,. The state 
of SRDY is then broadcast to the bus master:and bus ~ 
controller via the READY output line. | 


Asynchronous Ready 


Many systems have devices or subsystems that are 
asynchronous to the system clock. As a result, their 
ready outputs cannot be guaranteed to meet the 82284 
SRDY setup and hold time requirements. But the 
82284 asynchronous ready input (ARDY) is designed 
to accept such signals. The ARDY input is sampled at 
the beginning of each Tc cycle by 82284 synchroniza- 
tion logic. This provides one system CLK cycle time to 
resolve its value before broadcasting it to the bus 
master and bus controller. 
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NOTES: 
1. SRDYEN ts active low 


(SEE NOTE 3.) 


2. If SRDYEN is high, the state of SRDY will not effect READY 


3. ARDYEN is active low 


Figure 25. Synchronous and Asynchronous Ready 


ARDY or ARDYEN must be HIGH at the end of Ts. 


ARDY cannot be used to terminate bus eycle with | 


no wait states. 


Each ready input of the 82284 has an ehabié pin 


(SRDYEN and ARDYEN) to select whether the current 


bus operation will be terminated by the synchronous or » 


asynchronous ready. Either of the ready inputs may ter- 
minate a bus operation. These enable inputs are active 


low and have the same timing as their respective ready _ 
inputs. Address decode logic usually selects whether — 


the current bus operation should be terminated by ARDY 
or SRDY. 


Data Bus Control © 
Figures 26, 27, and 28 show how the DT/R, DEN, ve 


The data bus is driven with write data during the second 
phase of T,. The delay in write data timing allows the 
read data drivers, from a previous read cycle, sufficient 
time to enter 3-state OFF before the 80286 CPU begins 
driving the local data bus for write operations. Write data 
will always remain valid for one system clock past the 
last T, to provide sufficient hold time for Multibus or other. 
similar memory or I/O systems. During write-read or write- 
idle sequences the data bus enters 3-state OFF during 
the second phase of the processor cycle after the last 
T¢. Inawrite-write sequence the data bus does not enter 
3-state OFF between Toe and re 3 


Bus Usage 


bus, and address signals operate for different combina- _ 


tions of read, write, and idle bus operations. DT/R goes 
active (LOW) for a read operaton. DT/R remains HIGH 
before, during, and between write operations. 
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The 80286 local bus may be used for several fineions: 
instruction data transfers, data transfers by other bus 
masters, instruction fetching, processor extension data 
transfers, interrupt acknowledge, and halt/shutdown. This 
section describes local bus activities which have special 
signals or requirements. 
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Figure 26. Back to Back Read-Write Cycles 
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Figure 28. Back to Back Write-Write Cycles 


HOLD and HLDA 


HOLD and HLDA allow another bus master to gain con- 
trol of the local bus by placing the 80286 bus into the Tp, 
state. The sequence of events required to pass control 


between the 80286 and another local bus master are — 


shown in Figure 29. 


In this example, the 80286 is initially ia the T;, state as 


signaled by HLDA being active. Upon leaving Tp, as sig- 
naled by HLDA going inactive, a write operation is started. 
During the write operation another local bus master re- 
quests the local bus from the 80286 as shown by the 
HOLD signal. After completing the write operation, the 
80286 performs one T; bus cycle, to guarantee write data 
hold time, then enters Ty as pone by HLDA going 
active. 


The CMDLY signal arid ARDY ready are ged 3 start 


and stop the write bus command, respectively. Note that 
SRDY must be inactive or disabled by SRDYEN to guar- 
antee ARDY will terminate the cycle. 


Instruction Fetching 

The 80286 Bus Unit (BU) will fetch instructions ahead of 
the current instruction being executed. This activity is 
called prefetching. It occurs when the local bus would 
otherwise be idle and obeys the following rules: 
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A prefetch bus operation starts when at least two bytes 


of the 6-byte prefetch queue are empty. 


The prefetcher normally performs word prefetches in- 
dependent of the byte alignment of the code segment 
base in physical memory. 


The prefetcher will perform only a byte code fetch op- 
eration for control transfers to an instruction beginning 
on anumerically odd physical address. 


Prefetching stops whenever a control transfer or HLT 
instruction is decoded by the IU and placed into the 
instruction queue. 


_ In real address mode, the prefetcher may fetch up 


to 6 bytes beyond the last control transfer or HLT 
instruction in a code segment. 


In protected mode, the prefetcher will never cause a 
segment overrun exception. The prefetcher stops at | 
the last physical memory word of the code segment. 
Exception 13 will occur if the program attempts to ex- 
ecute beyond the bee full instruction in the code 
segment. 


If the last byte of acode segment appears on an even 
physical memory address, the prefetcher will read the 
next physical byte of memory (perform a word code 
fetch). The value of this byte is ignored and any at- 
tempt to execute it causes exception 13. 
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BUS CYCLE TYPE 


HLDA 
‘3 _(SEE NOTE 1.) (SEE NOTE 1. ) 
a 31-50 
tee] 
Ao ~ (SEE NOTE 2.) 
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} POODLE] 
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(SEE NOTE 3.) 
Soe DEK eee nn SSDS SSS pp = = 
Bre EOE Cl vao = > 


: : NOT READY NOT READY (SEE NOTE 7.) 
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MWTC NG SOC—C“CSC=CSS 
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e DT/R 


TS STATUS CYCLE 
TC COMMAND CYCLE 


NOTES: 


1. 
2: 


3. 


Status lines are not driven by 80286, yet remain high due to pullup resistors in 82288 and 82289 during HOLD state. 


Address, M/IO and COD/INTA may start floating during any TC depending on when interna! 80286 bus arbiter decides to release bus to 
external HOLD. The float starts in 2 of TC. 


BHE and LOCK may start floating after the end of any: TC depending on when internal 80286 bus arbiter decides to release bus to external 


~ HOLD. The float starts in 41 of TC. 


. The minimum HOLD to HLDA time is shown. Maximum is one Ty longer. 
. The earliest HOLD time is shown. It will always allow a subsequent memory cycle if pending is shown. 
. The minimum HOLD to HLDA time is shown. Maximum is a function of the instruction, type of bus cycle and other machine status (i.e., 


Interrupts, Waits, Lock, etc.) 


. Asynchronous ready allows termination of the cycle. Synchronous ready does not signal ready in this example. Synchronous ready state 


is ignored after ready is signaled via the asynchronous input. 


Figure 29. Multibus Write Terminated by Asynchronous Ready with Bus Hold 
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Processor Extension Transfers 


The processor extension interface uses I/O port 
addresses OOF8(H), OOFA(H), and OOFC(H) which are 
part of the I/O port address range reserved by Intel. 
An ESC instruction with Machine Status Word bits 
EM = Oand TS = Owill perform I/O bus operations to 
one or more of these I/O port addresses independent 
of the value of IGP! and CPL. 


ESC instructions with memory references enable the - 


CPU to accept PEREQ inputs for processor extension 
operand transfers. The CPU will determine the operand 


starting address and read/write status of the instruction. — 


For each operand transfer, two or three bus operations 
are performed, one word transfer with I/O port address 
OOFA(H) and one or two bus operations with memory. 
Three bus operations are required for each word oper- 
and aligned on an odd byte address. 


Interrupt Acknowledge Sequence > 


Figure 30 illustrates an interrupt acknowledge sequence 
performed by the 80286 in response to an INTR input. 
An interrupt acknowledge sequence consists of two 
INTA bus operations. The first allows a master 8259A 
Programmable Interrupt Controller (PIC) to determine 
which if any of its slaves should return the interrupt 
vector. An eight bit vector is read on DO-D7 of the 
80286 during the second INTA bus operation to select 
an interrupt handler routine from the interrupt table. 


The Master Cascade Enable (MCE) signal of the 82288 
is used to enable the cascade address drivers, during 
INTA bus operations (See Figure 30), onto the local ad- 
dress bus for distribution to slave interrupt controllers via 
the system address bus. The 80286 emits the LOCK 
signal (active LOW) during T, of the first INTA bus oper- 
ation. A local bus “hold” request will not be honored until 
the end of the second INTA bus operation. 


Three idle processor clocks are provided by the 80286 
between INTA bus operations to allow for the minimum 
INTA to INTA time and CAS (cascade address) out delay 
of the 8259A. The second INTA bus operation must al- 
ways have at least one extra T, state added via logic 
controlling READY. As3—Apo are in 3-state OFF until after 
the first T, state of the second INTA bus operation. This 
prevents bus contention between the cascade address 
drivers and CPU address drivers. The extra T, state al- 
lows time for the 80286 to resume driving the address 
lines for subsequent bus operations. 
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Local Bus Usage Priorities 


The 80286 local bus is shared among several internal 
units and external HOLD requests. In case of simulta- 
neous requests, their relative piontes are: 


Any transfers which assert LOCK either ex- 

plicitly (via the LOCK instruction prefix) or 
implicitly (i.e. segment descriptor access, 
interrupt acknowledge sequence, or an 
XCHG with memory). 


The second of the two byte bus operations 
required for an odd aligned word operand. 


(Highest) 


The second or third cycle of a processor 
extension data transfer. 


Local bus request via HOLD input. 


Processor extension data operand transfer 
via PEREQ input. 


Data transfer performed by EU as part of an 
instruction. | 3 

(Lowest) An instruction prefetch request from BU. The 

EU will inhibit prefetching two processor 

clocks in advance of any. data transfers to 

minimize waning by EU for a prefetch to finish. 


Halt or Shutdown Cycles 


The 80286 externally indicates halt or shutdown condi- 
tions as a bus operation. These conditions occur due to 
a HLT instruction or multiple protection exceptions while 
attempting to execute one instruction. A halt or shut- 
down bus operation is signalled when $1, SO and COD/ 
INTA are LOW and M/IO is HIGH. A; HIGH indicates 
halt, and A, LOW indicates shutdown. The 82288 bus 
controller does not issue ALE, nor is READY required to 
terminate a halt or shutdown bus operation. 


During halt or shutdown, the 80286 may service PEREQ 
or HOLD requests. A processor extension segment 
overrun exception during shutdown will inhibit further 
service of PEREQ. Either NMI or RESET will force the 
80286 out of either halt or shutdown. An INTR, if inter- 
rupts are enabled, or a processor extension segment 
overrun exception will also force the 80286 out of halt. 
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. Data is ignored. 


2. First INTA cycle should have at least one wait state inserted to meet 8259A minimum INTA pulse width. 


3. Second INTA cycle must have at least one wait state inserted since the CPU will not drive Az, — Ao, BHE, and LOCK until after the first 
TC state. 


The CPU imposed one/clock sheiay sréiants bus cantention between cascade address buffer being disabled by MCE Yand address 
- outputs. 


Without the wait. state, the 80286 address wil not be valid for a ‘memory cycle started immediately after the second INTA cycle. The 
82594 also requires one wait state for minimum INTA pulse width. 


4. LOCK is active for the first INTA cycle to prevent the 82289 from releasing the bus between INTA eeles in a multi-master system. 
5. A — Ap exits 3-state OFF during ¢2 of the second Tc in ne INTA cycle. 


Figure 30. Interrupt Acknowledge Sequence 
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Figure 31. Basic iAPX 286 System Configuration 


SYSTEM CONFIGURATIONS 


The versatile bus structure of the iAPX 286 microsys- 
tem, with a full complement of support chips, allows flex- 
ible configuration of a wide range of systems. The basic 


configuration, shown in Figure 31, is similar to an iAPX 


86 maximum mode system. It includes the CPU plus an 
82594 interrupt controller, 82284 clock generator, and 
the 82288 Bus Controller. The iAPX 86 latches (8282 
and 8283) and transceivers (8286 and 8287) may be 
used inan iAPX 286 microsystem. 


As indicated by the dashed lines in Figure 31, the ability 
to add processor extensions is an integral feature of iAPX 
286 microsystems. The processor extension interface 
allows external hardware to perform special functions 
and transfer data concurrent with CPU execution of other 
instructions. Full system integrity is maintained because 
the 80286 supervises all data transfers and instruction 
execution for the processor extension. 


The iAPX 286/20 numeric data processor which in- 
cludes the 80287 numeric processor extension (NPX) 
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uses this interface. The iAPX 286/20 has all the instruc- 
tions and data types of an iAPX 86/20 or iAPX 88/20. 
The 80287 NPX can perform numeric calculations and 
data transfers concurrently with CPU program execu- 
tion. Numerics code and data have the same integrity as 
all other information protected by the iAPX 286 protec- 
tion mechanism. : 


The 80286 can overlap chip select decoding and ad- 
dress propagation during the data transfer for the pre- 
vious bus operation. This information is latched into the 
8282/3’s by ALE during the middle of a T, cycle. The 
latched chip select and address information remains 
stable during the bus.operation while the next cycles 


_ address is being decoded and propagated into the sys- 


tem. Decode logic can be implemented with a high speed 
bipolar PROM. : | 


The optional decode logic shown in Figure 31 takes ad- 
vantage of the overlap between address and data of the 
80286 bus cycle to generate advanced memory and |O- 
select signals. This minimizes system performance 
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Figure 32. Multibus System Bus Interface 


degradation caused by address propogation and de- 
code delays. In addition to selecting memory and I/O, 
the advanced selects may be used with configurations 
supporting local and system buses to enable the appro- 
priate bus interface for each bus cycle. The COD/INTA 
and M/IO signals are applied to the decode logic to dis- 
tinguish between interrupt, I/O, code and data bus cycles. 


By adding the 82289 bus arbiter chip the 80286 provides 
a Multibus system bus interface as shown in Figure 32. . 
The ALE output of the 82288 for the Multibus bus is 
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connected to its CMDLY input to delay the start of com- 
mands one system CLK as required to meet Multibus 
address and write data setup times. This arrangement 
will add at least one extra T, state to each bus operation 
which uses the Multibus. 


A second 82288 bus controller and additional latches 
and transceivers could be added to the local bus of Fig- 
ure 32. This configuration allows the 80286 to support 
an on-board bus for local memory and peripherals, and 
the Multibus for system bus interfacing. - 


210253-006 
AFN-02060D 


iAPX 286/10 ADVANCE INFORMATION 


82288 


BU 
CONTROLLER 


CLOCK 


Oe 


~ MULTIBUS SELECT 
XACK 
MULTIBUS 
COMMAND 


. (MROC, MWTC) 


ADDRESS 
ADDRESS A,, -- Ao, BHE, LOCK 


Figure 33. iAPX 286 System Configuration with Dual-Ported Memory 


Figure 33 shows the addition of dual ported dynamic 
memory between the Multibus system bus and the iAPX 
286 local bus. The dual port interface is provided by the 
8207 Dual Port DRAM Controller. The 8207 runs syn- 
chronously with the CPU to maximize throughput for lo- 
cal memory references. It also arbitrates between 
requests from the local and system buses and performs 


functions such as refresh, initialization of RAM, and read/ 
modify/write cycles. The 8207 combined with the 8206 
Error Checking and Correction memory controller pro- 
vide for single bit error correction. The dual-ported 
memory can be combined with a standard Multibus sys- 
tem bus interface to maximize performance and protec- 
tion in multiprocessor system configurations. 


Table 16. 80286 Systems Recommended Pull up Resistor Values 


- 80286 Pin and Name 


20K + 10% 


 20KQ + 10% 


9100 + 5% 


Pull SO, ST, and PEACK inactive during 80286 hold periods. 


Pull ERROR and BUSY inactive when 80287 not present — 
(or temporarily removed from socket) : 


Pull READY inactive within required minimum time (C, = 150pfF, 
lz < 7mA) ; 
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PACKAGE 


The 80286 is packaged in a 68-pin, leadless JEDEC 
type A hermetic leadless chip carrier. Figure 34 illus- 
trates the package, and Figure 2 shows the pinout. 


_o PIN NO 1 MARK 


.130 
(3.30) 


INCHES 
(MILLIMETERS) 


Figure 34. JEDEC Type A Package 


ABSOLUTE MAXIMUM RATINGS* “NOTICE: Stresses above those listed under ‘‘Absolute Max- 
imum Ratings’ may cause permanent damage to the device. 
Ambient Temperature Under Bias ....... .. . O°C to 70°C This is a stress rating only and functional operation of the de- 
Storage Temperature............. 65°C to + 150°C vice at these or any other conditions above those indicated in 
ee ital the operational sections of this specification is not implied. 

Voltage on Any Pin with 


Exposure to absolute maximum rating conditions for ex- 
tended periods may affect device reliability. : 


RespecttoGround........ G5 ih es —1.0 to +7V 
Power Dissipation ............ pet tore eed 3.6 Watt 


D.C. CHARACTERISTICS (1, =0°C to 88°C, Vgc = 5V, * 5% 


[Input Leakage Current | 
[Output Leakage Current | 
Ico [Supply Current (turn on, 0°C) |_| 
—_ 
poe 
bow 


V<VinsVec 


45V< Vout <= Vec 


CLK Input Capacitance 
Other Input Capacitance 
Input/Output Capacitance 


NOTE 1: Low temperature is worst case. | | | 210253-006 
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A.C. CHARACTERISTICS = (1, =0°C to 55°C, Vog = SV, + 5%) | 


AC timings are referenced to 0.8V and 2.0V points of signals as illustrated in datasheet waveforms, unless otherwise noted. 


a 

[7 [System Glock (CLK) Period faa [250 [es [50 | 62 [250 [ns{ 
260 | 18 | 225 
235 
(17 [System Glock (GLK) Rise Time | | 10 | | 10 | | 10 | ns |[10V0a5v 
 1@ [System Glock (CLK) FallTime | | 10 | | 10] | 10 | ns [35vtotov | 
[4 [Asynch Inputs SetupTime _|40_[| [30 [ [20 | [ns [Nolet 
[5 __[Asynch. Inputs Hold Time [40] [30] | 20 || ns [Notet—+ 
es 5 Ae CS eee a As Se WR 
RESET Hold Time aa ee eee ne 
(8 [Read Data SetuupTime +30 -+ij2o fio | [nsf 
[9 [Read DataHoid Time | @ | [8 | | 8 | [rs] +4 
READY Setup Time a so ee ney 
READY Hold Time cso [pas fi Cds |] 
[72 | Status/PERCK Valid Delay | 1 | €0 | 1 | 86 | 1 | 40 | ns |Nole2 Notes _| 
[43 _[Address Vaid Delay __———+| 1 _[v20| 1 | 80 | 1 | 60 | ns [Nole? Noles 
[44 | Write Data Valid Delay To [100 [0 | 65 [0 | 50 | ns [Note 2 Notes _ 
Address/Siatus/Data Float Delay | 0 [120 [0 | 80 | 0 | 80 | ns [Note2 Noted 
[16 [HUDA Valid Delay To fo fo [eo | o 


NOTE: 1: Asychronous inputs are INTR, NMI, HOLD, PEREQ, ERROR, and BUSY. This specification is given only for testing 
purposes, to assure recognition at a specific CLK edge. a 


NOTE: 2: Delay from 0.8V on the CLK, to 0.8V or 2.0V or float on the output as appropriate for valid or floating condition. 
NOTE: 3: Output load: C1 = 100pF. oe ny te 
NOTE: 4: Float condition occurs when output current is less than |I|g in magnitude. 


82284 Timing Requirements 


‘Test Conditions 


NOTE : These times are given for testing purposes to assure a predetermined action. 


82288 Timing Requirements eae . 
~ 8288-6 me | |. id 
[ Max. | Min. | Max. | Units | Test Conditions 


Sn eee ee ea 
BS SAO Aa Rl RR 
ig OMeunming ee a a) 
“30 | Gommand delay Conmandheckee |e [ wo [a eae 
From CLK. Fo ; ns lol = 32 mamax |. 
: 
eee ee eee eee | 
Ee ee 
| 35 | ons | Ig. =16 mamax 
| 35 {| ns |. Igy =-1 mamax |. 
0 [ns 
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WAVEFORMS 


MAJOR CYCLE TIMING 


OR ea ® |x 
vette IIIUUIII 


I 


VALID IF Ts 
—_—_ 3 


@ KH 
BHE,LOCK LLLLLLLLLLLLLLLLLLLLLLLL LS, VALID CONTROL XL ' VALID CONTROL 


~t- 
1 


ss VALID IF Ts 
. 


INNAAY 
Ci abwareoma SS - 


SRDY+SRDYEN 
t 
ARDY + ARDYEN 
PCLK 
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80286 RESET INPUT TIMING AND 
SUBSEQUENT PROCESSOR CYCLE PHASE 


80286 ASYNCHRONOUS INPUT SIGNAL TIMING 


BUS CYCLE TYPE 


PCLK 
(SEE NOTE 1.) 


INTR,NMI 
HOLD,PEREQ 
(SEE NOTE 2.) 
(SEE NOTE 1.) 


ERROR,BUSY 
(SEE NOTE 2.) 


NOTE 1: When RESET meets the setup time shown, the next CLK 
will start or repeat ¢2 of a processor cycle. 


NOTES: . 


1. PCLK indicates which processor cycle phase will occur on the 
next CLK. PCLK may not indicate the correct phase until the first 
bus cycle is performed. 


2. These inputs are asynchronous. The setup and hold times shown 
assure recognition for testing purposes. 


EXITING AND ENTERING HOLD 


BUS CYCLE TYPE 


CLK 


(SEE NOTE 4.) 


\ 

\] 

LiF NPx|TRANSFER 
BHE,LOCK 


seo ® 
i ee << >>>) 


COD/INTA 
(SEE NOTE 2.) 


80286 
© 


PEACK —-~————-—————— — 


eee en eee nee eee en eee a 


NOTES: 

. These signals may not be driven by the 80286 during the time shown. The worst case in terms of latest float time is shown. 
. The data bus will be driven as shown if the last cycle before T, in the diagram was a write To. 

. The 80286 floats its status pins during T,,. External 20KQ resistors keep these signals high (see Table 16). 

. For HOLD request set up to HLDA, refer to Figure 29. 

. BHE and LOCK are driven at this time but will not become valid until Tg. 

. The data bus will remain in 3-state OFF if a read cycle is performed. 


anh WN — 
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WAVEFORMS (Continued) 
80286 PEREQ/PEACK TIMING FOR ONE TRANSFER ONLY 


BUS CYCLE TYPE 
T Ts Tc Ts Tc Ty 
Vox 2 1 2 1) —> 2 ) 2 " "2 “ 
cux _/ 
Veu VO READ IF PROC. EXT. TO MEMORY MEMORY WRITE IF PROC. EXT. TO MEMORY 
a MEMORY READ IF MEMORY TO PROC. EXT. /- VO WRITE IF MEMORY TO PROC. EXT. 
S1e¢ SO 


MEMORY ADDRESS IF PROC. EXT. TO MEMORY TRANSFER 
VO PORT ADDRESS OOFA(H) IF MEMORY TO PROC. EXT. TRANSFER 


Aza - Ao 
Mio © LEER ON! MS LONER 
COD INTA VO PORT ADDRESS OOFA(H) IF PROC. EXT. TO MEMORY TRANSFER 
®@ —»|@ |< MEMORY ADDRESS IF MEMORY TO PROC. EXT. TRANSFER 
PEACK (SEE NOTE 1.) 


ASSUMING WORD-ALIGNED MEMORY OPERAND. IF ODD ALIGNED, 80286 TRANSFERS TO/FROM MEMORY BYTE-AT-A-TIME WITH TWO MEMORY CYCLES. 


NOTES: 
1. PEACK always goes active during the first bus operation of a processor extension data operand transfer sequence. The first bus operation ~ 
will be either a memory read at operand address or !/O read at port address OOFA(H). 
2. To prevent a second processor extension data operand transfer, the worst case maximum time (Shown above) i is: Oe Dax. 
-@) min, The actual, configuration dependent, maximum time is: 3X1) -—@1) max -—@ mi, + AX2X ge 
A is the number of extra T,. states added to either the first or second bus operation of the processor extension diate operand transfer | ) 
sequence. Se 


INITIAL 80286 PIN STATE DURING RESET 
BUS CYCLE TYPE 


o1 


Vow $2 1-92 re or a ae | | 
CLK ; - NN 
Ver © (SEE NOTE 2.) 

Mi, AT LEAST 


16 CLK PERIODS ae : 


PEACK 
BHE 


COD/INTA 


@) | | 
LOCK UNKNOWN | ee | | 
| [On (SEE NOTE 3.) | | 3 | 
Sate) mearararate epee 
(16) ; 
HLDA | UNKNOWN K =e ae 


1. Setup time for RESET 7 may be violated with the consideration that 21 of the processor clock may begin one system CLK period later. 

2. Setup and hold times for RESET | must be met for proper operation, but RESET ! may occur during a1 or g2. 

3. The data bus is only guaranteed to be in 3-state OFF at the time shown. 

4. HOLD is acknowledged during RESET, causing HLDA to go active and the appropriate pins to float. If HOLD remains active while RESET goes 
inactive, the 80286 remains in HOLD state and will not perform any bus accesses until HOLD is de-activiated. 
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ADVANCE INFORMATION 


REGISTER OPERAND/REGISTERS TO USE IN OFFSET CALCULATION — 


REGISTER OPERAND/EXTENSION OF OPCODE 
REGISTER MODE/MEMORY MODE WITH DISPLACEMENT LENGTH 


WORD/BYTE OPERATION 


REGISTER/DIRECTION IS FROM REGISTER _ 


- OPERATION (INSTRUCTION) CODE 


A. SHORT OPCODE FORMAT EXAMPLE 


BYTE 1 BYTE 2 
7 6 5 43 210 7 6-5 43 2 «1 


LONG OPCODE 


B. LONG oPpcopE FORMAT EXAMPLE 


— as ee ee ee et oe — es eee oe oe 


Figure 35. 80286 Instruction Format Examples 


80286 INSTRUCTION SET SUMMARY 


Instruction Timing Notes 


The instruction clock counts listed below establish the 
maximum execution rate of the 80286. With no delays in 
bus cycles, the actual clock count of an 80286 program 


will average 5% more than the calculated clock count, . 
due to instruction sequences which execute faster than 


they can be fetched from memory. 


To calculate elapsed times for instruction sequences, 
multiply the sum of all instruction clock counts, as listed 
in the table below, by the processor clock period. An 8 
MHz processor clock has a clock period of 125 nanosec- 
onds and requires an 80286 system clock (CLK input) of 
16 MHz. 


Instruction Clock Count Assumptions 
1. The instruction has been prefetched, decoded, and 
is ready for execution. Control transfer instruction clock 
counts include all time required to fetch, decode, and 
prepare the next instruction for execution. 

. Bus cycles do not require wait states. 

. There are no processor extension data transfer or 

local bus HOLD requests. | 


. No exceptions occur during instruction execution. 


~ Instruction Set Summary Notes 


Addressing displacements selected by the MOD field 
are not shown. If necessary they appear after the in- 
struction fields shown. | 


Above/below refers to unsigned (aide 
Greater refers to positive signed value 
Less refers to less positive (more negative) signed values 


ifd = 1 then toregister;ifd = Othenfromregister 
if w = 1 then word instruction; HW = 0 then byte 
instruction 
ifs = 0 then 16-bit immediate date form the operand | 
ifs = 1 then an immediate data byte is sign-extended 
to form the 16-bit operand 
x don'tcare | 
used for string primitives for comparison with ZF 
FLAG 


lf two clock counts are given, the smaller refers to a reg- 
ister operand and the larger refers to amemory operand 


7 add one clock if offset calculation requires sum- 
ming 3 elements ; 


__ n = number oftimes repeated 
m_ = number of bytes of code in next instruction 
Level (L)—Lexical nesting level of the procedure 
210253-006 
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The following comments describe possible exceptions, 
side effects, and allowed usage for instructions in both 


operating modes of the 80286. 


REAL ADDRESS MODE ONLY 


1. This is a protected mode instruction. Attempted ex- 
ecution in real address mode will result in an unde- 


fined opcode exception (6). 


2. Asegment overrun exception (13) will occur if a word 
operand reference at offset FFFF(H) is attempted. 


3. This instruction may be executed in real address 


mode to initialize the CPU for protected mode. 
4. The lOPL and NT fields will remain 0. 


5. Processor extension segment overrun interrupt (9) 
will occur if the operand exceeds the segment limit. 


EITHER MODE 


6. An exception may occur, depending on the value of 


the operand. 


7. LOCK is automatically asserted regardless of the 
presence or absence of the LOCK instruction prefix. 


8. LOCK does not remain active between all operand 


transfers. 


PROTECTED VIRTUAL ADDRESS MODE ONLY 


9. Ageneral protection exception (13) will occur if the 
memory operand can not be used due to either a 
segment limit or access rights violation. If a stack 
segment limit is violated, a stack segment overrun 


exception (12) occurs. 


10. For segment load operations, the CPL, RPL, and 
DPL must agree with privilege rules to avoid an ex- 
ception. The segment must be present to avoid a 
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11. 


12. 


13. 


14. 


1S; 


16. 


TZ, 


18. 


not-present exception (11). If the SS register is the 
destination, and a segment not-present violation 
occurs, a stack exception (12) occurs. 


Ail segment descriptor accesses in the GDT or LDT 
made by this instruction will automatically assert 
LOCK to maintain descriptor integrity in multipro- 
cessor systems. 


JMP, CALL, INT, RET, IRET instructions referring to 
another code segment will cause a general protec- 
tion exception (13) if any privilege rule is violated. 


A general protection exception (13) occurs if CPL 
+ 0. 


A general protection exception (13) occurs if 
CPL > IOPL. 


The IF field of the flag word is not updated if 
CPL > IOPL. The IOPL field is updated only if 
CPL = 0. 


Any violation of privilege rules as applied to the se- 
lector operand do not cause a protection exception; 
rather, the instruction does not return a result and 
the zero flag is cleared. 


If the starting address of the memory operand vio- 
lates a segment limit, or an invalid access is at- 
tempted, a general protection exception (13) will 
occur before the ESC instruction is executed. A stack 
segment overrun exception (12) will occur if the stack . 
limit is violated by the operand’s starting address. If 
a segment limit is violated during an attempted data 
transfer then a processor extension segment over- 
run exception (9) occurs. 


The destination of an INT, JMP, CALL, RET or 
IRET instruction must be in the defined limit of 
a code segment or a general protection excep- 
tion (13) will occur. : 
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80286 INSTRUCTION SET SUMMARY ; re 


Protected Protected 
Virtual Virtual 

FUNCTION FORMAT Address Address 
Mode Mode 


DATA TRANSFER 
MOV = Move: 


Register to Register/Memory 000100w 

Register/memory to register . 000101w 

Immediate to register/memory. 100011w 
Immediate to register O11w_ reg data 

Memory to accumulator 010000w addr-low 

Accumulator to memory 010001w 


Register/memory to segment register [1.000111 0 
Segment register to register/memory |10001100 
PUSH = Push: 
Memory a Mis ef i | mod110 = r/m 
Register 01010 = reg 
Segment register 000 reg 110 


Ammediate = TOT OS OL data] dataifs=0 


yF 


| PUSHA = Pusha 


01100000) — 


POP = Pop: 
Memory 0001111 mod000 f/m 


Register 01011 reg 


Segment register 000 reg 111 (reg #01) 


| 


a 
noel 
oh 
oO 
coo 
— 
cD 
Sok 


-POPA=PopAl 


XCHG = Exchange: 
Register/memory with register 000011Ww modreg r/m 


Register with accumulator 0010 = reg 


IN =Input from: 
Fixed port 110010w 


Variable port 110110w 


(=) 


OUT = Output to: 
Fixed port 110011w 


Variable port 110111w 

XLAT = Translate byte to AL 11010111 

LEA = Load EA to register 10001101 modreg r/m 

LDS = Load pointer to DS 11000101 modreg f/m (mod # 11) 
LES = Load pointer to ES 11000100 modreg f/m (mod # 11) 
LAHF = Load AH with flags 10011111 

SAHF = Store AH into flags 1.0 tT tat 

PUSHF = Push flags 0011100 

POPF = Pop flags 0011101 


—_ 


= 


Shaded areas indicate instructions not available iniAPX 86, 88 microsystems. 
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80286 INSTRUCTION SET SUMMARY (Continued) 


FUNCTION 


ARITHMETIC 
ADD = Add: 
Reg/memory with register to either 


Immediate to register/memory 
Immediate to accumulator 


ADC = Add with carry: 
Reg/memory with register to either 


Immediate to register/memory 
Immediate to accumulator 


INC = Increment: 
Register/memory 


Register 


SUB = Subtract: 
Reg/memory and register to either 


Immediate from register/memory 


Immediate from accumulator 


SBB = Subtract with borrow: 
Reg/memory and register to either 


Immediate from register/memory 
Immediate from accumulator 


DEC = Decrement: 
Register/memory 


Register 


CMP = Compare: 
Register/memory with register 


Register with register/memory 
Immediate with register/memory 
Immediate with accumulator 

NEG = Change sign 

AAA = ASCII adjust for add 

DAA = Decimal adjust for add 
AAS = ASCII adjust for subtract 
DAS = Decimal adjust for subtract 


MUL = Multiply (unsigned): 
Register-Byte 
Register-Word 
Memory-Byte 
Memory-Word 


IMUL = Integer multiply (signed): 
Register-Byte 

Register-Word 

Memory-Byte 

Memory-Word 


MUL = Integer immediate multiply 
~ (signed) 


DIV = Divide (unsigned): 
Register-Byte 
Register-Word 
Memory-Byte 
Memory-Word 


CLOCK COUNT COMMENTS 


Protected Protected 


Virtual Virtual 
FORMAT Address Address 


Mode Mode 


000000dw 
00000sw 
000010w 


modreg f/m 
mod000 = t/m 


data ifs w= 01 


data if w = 1 


000100dw modreg fr/m 
00000s w mod010 = r/m data 
001010w data 


data ifs w=01 


data ifw= 1 


1117111Ww 
1000 reg 


mod000 r/m 


01010dw 
00000sw 


| 


modreg c/m 
mod101 = r/m 
data 


dataifsw=01 


Oly 
oOo 

i 

oS 

_ 

_ 

oO 

= 


data if w = 1 


000110dw 
00000sw 
001110w 


modreg r/m 
mod011 = r/m 


data data ifsw=01 


data if w = 1 


111111w 
1001 reg 


mod001 = r/m 


011101w 
011100Ww 
00000sw 
011110w 
111011w 
011011 1 
0100111 
0 fee es le J | 
0101111 


modreg r/m 

modreg r/m 

mod111  r/m data 
_ data 
mod0%1 = r/m 


dataifsw=01 


data if w = 1 


fon) 


: 


111011w mod100 r/m 


1111011w 


mod101 = r/m 


011010s 1 mod reg s/m 


data ifs=0 


1111011Ww mod110 r/m 


Shaded areas indicate instructions not available in iAPX 86, 88 microsystems. 
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ADVANCE INFORMATION 


FUNCTION 


ARITHMETIC (Continued): 
IDIV = Integer divide (signed): 
Register-Byte 

Register-Word 

Memory-Byte 

Memory-Word 

AAM = ASCII adjust for multiply 


AAD = ASCII adjust for divide 
CBW = Convert byte to word 

CWD = Convert word to double word 
LOGIC 


Shift/Rotate Instructions: 
Register/Memory by 1 


Register/Memory by CL 


AND =And: 
Reg/memory and register to either 


Immediate to register/memory 


Immediate to accumulator 


TEST=And function to flags, no result: 


Register/memory and register 


Immediate data and register/memory 


Immediate data and accumulator 
~OR=0r: 

Reg/memory and register to either 

Immediate to register/memory 

Immediate to accumulator 


XOR = Exclusive or: 
Reg/memory and register to either 


Immediate to register/memory 
Immediate to accumulator 
NOT = Invert register/memory 


STRING MANIPULATION: 
MOVS = Move byte/word 


CMPS B/W = Compare byte/word 


SCAS = Scan byte/word 
LODS = Load byte/wd to AL/AX 
STOS = Stor byte/wd from AL/A 


Virtual Address | . Virtual 
FORMAT Address Mode Address 
Mode 


CLOCK COUNT COMMENTS 


Protected Real Protected 


1111011Wwy modi11 t/m 


14101000 w] mod TT r/m_| 


mod TIT r/m 


20° 
5en8tn’ 


01000d Ww] modreg t/m_| 
1000000w] modt00 rim 
data ifw=1 


1000010w] modreg r/m_| 


111071 Ww] moi000 1m 
TOTO100w] de | datatw=1 


00010dw 
1000000 w] mod001 rm data 


oooo11Ow}] data | dataitw=1__| 


modreg r/m 


| 


data if w = 1 


\ 


01100dw modreg r/m 


000000w| modii0 rm 
0011010w{ data =| _—dataifw=1 


1111011Ww mod010 = r/m 


1010010Ww 
1010011w 
1.010111w 
1010110w 
1010101w 


id 


Shaded areas indicate instructions not available iniAPX 86, 88 microsystems. 
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80286 INSTRUCTION SET SUMMARY (Continued) 


CLOCK COUNT 


Protected 
Virtual 
Address 
Mode 


COMMENTS 


Protected 
Virtual 
Address 
Mode 


FUNCTION FORMAT 


STRING MANIPULATION (Continued): 
Repeated by count in CX 


MOVS = Move string 11110010/1010010w 

CMPS = Compare string 11110012/1010011Ww 

'SCAS = Scan string 1010111Ww 

LODS = Load string 11110010/41010110w 

STOS = Store string 11110010/1010101w 

INS = Input string 1111001070110110w 

OUTS = Output string 11110010 /0110111W 

CONTROL TRANSFER 

CALL = Call: 

Direct within segment 11101000 disp-high 7+m 

Register/memory oe ee a mod010 r/m T+m,t1+m* 8,9,18 

indirect within segment 

Direct intersegment 10011010 segment offset 26+m 11,12,18 

_ 

Protected Mode Only (Direct intersegment): : 
Via call gate to same privilege level 4l+m 8,11,12,18 
Via call gate to different privilege level, no parameters 82+m 8,11,12,18 
Via call gate to different privilege level, x parameters 86+ 4x +m 8,11,12,18 
Via TSS 177 +m 8,11,12,18. 
Via task gate 182+m 8,11,12,18 


29+m" 8,9,11,12,18 


Indirect intersegment (mod # 11) 
Protected Mode Only (Indirect intersegment): 
Via call gate to same privilege level ' 
Via call gate to different privilege level, no parameters 
Via call gate to different privilege level, x parameters 
Via TSS 
Via task gate 


8,9,11,12,18 
8,9,11,12,18] - 
8,9,11,12,18 
8,9,11,12,18 
8,9,11,12,18 


44+m* 
83+m* 
90 +4x +m* 
180 + m* 
185+m" 


JMP = Unconditional jump: 


Short/long 40044 7+ 18 
Direct within segment 11101001 disp-high 7+m 18 


Register/memory indirect withinsegment}1 111111 1 mod 100 r/m 7+m11+m’ 9,18 


Direct intersegment 11101010 segment offset 
segment selector 


23+m 11,12,18 


Protected Mode Only (Direct intersegment): 


Via call gate to same privilege level 8,11,12,18 
Via TSS 8,11,12,18 
Via task gate 8,11,12,18 


8,9,11,12,18 


Indirect intersegment a a mod101 r/m (mod # 11) 
’ Protected Mode Only (Indirect intersegment): 
Via call gate to same privilege level 


Via TSS 
Via task gate 


8,9,11,12,18 
8,9,11,12,18 
8,9,11,12,18 


RET = Return from CALL: 


Within segment 1100001 1 8,9,18 
Within seg adding immed to SP 11000010 data-high 8,9,18 


8,9,11,12,18 
8,9,11,12,18 


Intersegment Te oteO. Oo Oy 
Intersegment addingimmediatetoSP {1100101 0 data-high 


Protected Mode Only (RET): 
To different privilege level 


Shaded areas indicate instructions not available iniAPX 86, 88 microsystems. 


9,11,12,18 
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80286 INSTRUCTION SET SUMMARY (Continued) | ee 


Real Protected 
Address | Virtual - 
Mode Address 
Mode 


“CLOCK COUNT 
Protected 
Virtual 
Address 
Mode 


FUNCTION FORMAT 


CONTROL TRANSFER (Continued): : 
_JE/JZ = Jump on equal/zero 1110100 


JL/JNGE = Jump on less/not greater or equal VA 80 
JLE/JNG = Jump on less or equal/not greater 1111110 


7+mor3} 7+mor3 


7+mor3{7+mor3 


7+mor3| 7+mor3 


JB/JNAE=Jumponbelow/notaboveorequl 01110010] disp | 7+mor3| 7+mor3 
JBE/JNA =Jumpon below orequalinotabove [01110110] disp | 7+mor3| 7+mor3 
JP/JPE = Jump on parity/parity even 7+mor3{ 7+mor3 
JO = Jump on overfiow 7+mor3] 7+mor3 
JS = Jump on sign 7+mor3| 7+mor3 
JNE/JNZ = Jump on not equal/not zero | 7+mor3] 7+mor3 
UNL/SGE =Jumponnotless/greaterorequal - [01111101] disp | 7+mor3| 7+mor3 
JNLE/JG = Jump onnotlessorequavgreater - (O 1711111] disp | | 7+mor3} 7+mor3 
JNB/JAE =Jumponnotbelowaboveorequal fO1110011] disp | ‘| 7+mor3] 7+mor3 
JNBE/JA = Jump onnot below orequal/above 7+mor3]}] 7+mor3 
JNP/JPO = Jump on not par/par odd 7+mor3| 7+mor3 
JNO = Jump on not overiow 7+mor3| 7+mor3 
JNS = Jump on not sign 7+mor3| 7+mor3 
LOOP =LoopCXtimes = 117100010] disp | 8+mor4 | 8+mor4 
LOOPZ/LOOPE = Loop while zerovequal 11100001] disp | 8+mor4 | 8+mor4 
LOOPNZ/LOOPNE = Loop whilenotzeroequl |11100000{ disp — | 8+mor4 | 8+mor4 
JOXZ = Jump on CX zero 11100011] disp | 8+mor4 | 8+mor4 


111001000 ~ data-high 


ee AB. 
oe 16+4(L~1) | 16+4(L-1) 
44100100 14. 5 Sg 


INT= Interrupt: 


Type specified +4007 1-04 type 


23+m 
Type 3 . 11001100 23+m 


INTO = Interrupt on overflow 11001110 24+ mor3 
(3ifno Bifno 
Protected Mode Only: interrupt interrupt Me 0 
Via interrupt or trap gate to same privilege level 40+m 7,8,11,12,18 
Via interrupt or trap gate to fit different privilege level 78+m 7,8,11,12,18 


‘Via Task Gate _ 167+m 7,8,11,12,18 
IRET = Interrupt return 11001111 31+m 2.4 189.11,12.15.18 
Protected Mode Only: 


To different privilege level 
To different task (NT = 1) 


55+m 
169+m . 


B.9,11,12,15,18 
8.9,11,12.18 


oe gt. 
1 (Use INT clack 
count if 


(01100070 
a T excepions) | 


| _modreg tm | 


Shaded areas indicate instructions not available iniAPX 86, 88 microsystems. 
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80286 INSTRUCTION SET SUMMARY (Continued) 


Real | Protected Protected 
FUNCTION FORMAT Mode Mdoiats cee 
Mode Mode 
PROCESSOR CONTROL 
CLC = Clear carry 2 2 
CMC = Complement carry 2 2 
STC =Set carry : 2 2 
CLD = Clear direction 2 2 
STD = Set direction 2 2 
CLI =Clear interrupt 3 3 
STI = Set interrupt 2 2 
HLT = Halt 2 2 
WAIT = Wait 3 3 
LOCK = Bus lock prefix 0 0 
“eLTS = Clear t ee fen, 


ESC = Processor Extension Escape 11011TTT mod LLL r/m 


TTT LLL are opcode to processor extension) 


SEG =Segment Override Prefix [001 reg 110 


PROTECTION CONTROL ° | 


LGDT = Load global descriptor table register 
SGDT = Store global descriptor tebloregister 
LIDT = Load interrupt descriptor table register 
SIDT = Storeinterrupt descriptor table register 


LLDT = Load local descriptor table register 


9-20": 20* 


~~ 


from register memory 00001111/00000000} mod010 vm | 
SLDT = Store local descriptor table register 

to register/memory 00007111/00000000] mod000 rm 
LTR = Load task register 

from registermemory 0000111%1)/00000000} mod011 tm 
STR = Store task register 

to register memary 00001111;,00000000;] mod00i rm 
LIMASW = Load machine status word 

from register/memory 00001111; 00000001 mod110 r/m 

SIMSW = Store machine status word 00001111) 00000001] mod100 rm 


LAR = Load access rights 


from register/memory 00001111{00000010{ modregrm | 
LSL = Load segment limit : 
from register/memory 00001111; 00000011 Oo AG ABR 
ARPL = Adjust requested privilege level: re: obaetssi) a fe 
from register memory 01100011 10°11" 
VERR = Verify read access: registermemory 00001111;00000000} mod100 tm 14,16* 
VERR = Verify write access: 0000111 1{/ 00000000 14,16* 


Shaded areas indicate instructions not available iniAPX 86, 88 microsystems. 
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Footnotes | 


The effective Address (EA) of the memory operand is REG is assigned according to the following table: 
computed according to the mod and r/m fields: 16-Bit(w = 1) 8-Bit(w = 0) 


if mod = 11 thenr/mis treated as a REG field ne . = - 

j — D — * j - j - j 

oe fll ISP = 0°, disp-low and disp-high 010 DX. oto DL 

eee | | 011 BX 011 BL 

if mod = oF men ra = disp-low sign-extended to 100 SP 100 AH 

16-bits, disp-high is absent 101 BP 101 CH 

ifmod = 10 then DISP = disp-high: disp-low 110 SI 410 DH 

if r/m = 000 then EA = (BX) + (SI) + DISP 111 Dl 111 BH 

ifr/m = 001 then EA = (BX) + (Dl) + DISP 

if r/m = 010 then EA = (BP) + (SI) + DISP Feaeeetica edd eee ve 

, “ = e physical addresses of all operands addressed by 
, UN OU AGO ka A re, the BP register are computed using the SS segment 
ifr/m = 100 then EA = (SI) + DISP register. The physical addresses of the destination op- 
ifr/m = 101 then EA = (Dl) + DISP erands of the string primitive operations (those ad- 
if r/m = 110 then EA = (BP) + DISP* dressed by the DI register) are computed using the ES 
ae _ 111 then EA = (BX) + DISP | segment, which may not be overridden. 


DISP follows 2nd byte of instruction (before data if 
required) 


*exceptif mod = 00 andr/m = 110 then EA = disp-high: disp-low. 


SEGMENT OVERRIDE PREFIX 


0011reg 110 


reg is assigned according to the following: 


Segment 
reg Register 
00 ES 
01 CS 
10 Ss 
11 DS 
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List of Minor Differences Between 
iAPX 86 and iAPX 286 (Real Mode) 


APPENDIX D 
IAPX 86/88 SOFTWARE COMPATIBILITY CONSIDERATIONS 


In general, the real address mode iAPX 286 
will correctly execute ROM-based iAPX 
86/88 software. The following is a list of the 
minor differences between iAPX 86 and iAPX 
286 (Real mode). 


I. 


Add Six Interrupt Vectors. 


The iAPX 286 adds six interrupts which 
arise only if the i:APX 86/88 program has 
a hidden bug. These interrupts occur only 
for instructions which were undefined on 
the 8086/8088 or if a segment wrapa- 
round is attempted. It is recommended 
that you add an interrupt handler to the 
iAPX 86/88 software that is to be run on 
the 1APX 286, which will treat these 
interrupts as invalid operations. 


This additional software does. not signifi- 
cantly effect the existing iAPX 86/88 
software because the interrupts do not 
normally occur and should not already 
have been used since they are in the 
interrupt group reserved by Intel. 
Table D-1 describes the new iAPX 286 


- interrupts. 


Do not Rely on iAPX 86/88 Instruction 
Clock Counts. 


The iAPX 286 takes fewer clocks for 


most instructions than the iAPX 86/88. 


The areas to look into are delays between 
I/O operations, and assumed delays in 
iAPX 86/88 operating in pane with an 
8087. | 


Divide Exceptions Point at the DIV 


Instruction. 


Any interrupt on the iAPX 286 will 
always leave the saved CS:IP value 
pointing at the beginning of the instruc- 
tion that failed (including prefixes). On 


D-1 


Table D-1. New iAPX 286 Interrupts 


Interrupt 
Number 


A BOUND instruction was 
executed with a register value 
outside the two limit values. 


An undefined opcode was 
encountered. 


The EM bit in the MSW has been 
set and an ESC instruction was 
executed. This interrupt will also 
occur on WAIT instructions if TS 
is set. 


— The interrupt table limit was 
changed by the LIDT instruction 
to a value between 20H and 42H. 
The default limit after reset is 
3FFH, enough for all 256 inter- 
rupts. 


A processor extension data 
transfer exceeded offset OFFFFH 
in a segment. This interrupt 
handler must execute FNINIT 
before any ESC or WAIT instruc- 
tion is executed. 


Segment wraparound | was 
attempted by a word operation at 
offset OFFFFH. 


When 80286 attempted to 
execute a coprocessor instruc- 
tion ERROR pin _ indicated 
an unmasked exception 
from previouS coprocessor 
instruction. 


the iAPX 86/88, the CS:IP value saved 
for a divide exception points at the next 
instruction. 


4. Use isan 16 for. Numeric Excep- 
tions. 


Any iAPX 286/20 system must use 
interrupt vector 16 for the numeric error 
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interrupt. If an iAPX 86/20 or iAPX 
88/20 system uses another vector for the 
8087 interrupt, both vectors should point 
at the numeric error interrupt handler. 
Numeric Exception Handlers Should 
allow Prefixes. . ? 


The saved CS:IP value in the NPX 


environment save area will point at any 


leading prefixes before an ESC instruc- 
tion. On iAPX 86/88 systems, this value 
points only at the ESC instruction. 


Do Not Attempt Undefined iAPX 86/88 


} Operations. 


- 1APX 86/88 instructions like POP CS or 
MOV CS,op will either cause exception 


6 (undefined opcode) or perform a 
‘protection setup operation like LIDT on - 


the iAPX 286..Undefined bit encodings 


5 for bits 5-3 of the second byte of POP 
-MEM or PUSH MEM will cause excep- — 


tion 13 on the 1APX 286: 


d.. Place a Far JMP Instruction at FFFFOH. 


MGie: eeset: CS:IP = F000:FFFO on the 


iAPX 286 (versus FFFF:0000 on the 


-iAPX 86/88). This change was made to 


allow sufficient code space to enter. 


: protected mode without reloading CS. 
Placing a far. JMP instruction at 
FFFFOH will avoid this difference. Note 
. that the BOOTSTRAP option of LOC86 
will eon generate this jump 
instruction. 


. Do not Rely on the Some Written by 


_ PUSH SP. 


_ The iAPX 286 will push a different salle 


on the stack for PUSH SP than the iAPX 
86/88. If the value pushed is important, 
replace PUSH SP instructions with the 
following three instructions: 


PUSH BP 
MOV. _—- BP,SP_- 
XCHG _- BP, [BP] - 
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This code functions as the iAPX 86/88 
PUSH SP instruction on the iAPX 286. 


Do not Shift or Rotate by More than 31 
Bits. | 

The iAPX 286 masks ail ‘shift/rotate 
counts to the low 5 bits. This MOD 32 
operation limits the count to a maximum 
of 31 bits. With this change, the longest 
shift/rotate instruction is 39 clocks. 
Without this change, the longest shift/ 
rotate instruction would be 264 clocks, 
which delays interrupt response until the 
instruction completes execution. | 


. Do not Duplicate Prefixes. 


The iAPX 286 sets an instruction joadth 


limit of 10 bytes. The only way to violate 


b2, 


this limit is by duplicating a prefix two 
Or more times before an instruction. 
Exception 6 occurs if the instruction 
length limit is violated. The iAPX 86 or 
88 has no instruction length limit. 


. Do not Rely on Odd iAPX 86/88 LOCK 


Characteristics. 


The LOCK prefix and its corresponding 


output signal should only be used to 


prevent other bus masters from inter- 
rupting a data movement operation. The 
iAPX 286 Will always assert LOCK 
during an XCHG instruction with 
memory (even if the LOCK prefix was 
not used). LOCK should only be used 
with the XCHG, MOV, MOVS, INS, 
and OUTS instructions. 


The iAPX 286 LOCK signal will not go 
active during an instruction prefetch. 


Do not Single Step External pant | 
Handlers. | 


The priority of the iAPX 286 single step 
interrupt is different from that of the 
iAPX 86/88. This change was made to 
prevent an external interrupt from being 


L3; 


14, 
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single-stepped if it occurs while single 
stepping through a program. The iAPX 
286 single step interrupt has higher 
priority than any external interrupt. 


The iAPX 286 will still single step 
through an interrupt handler invoked by 
INT instructions or an_ instruction 
exception. 


Do not Rely on IDIV Exceptions for 
Quotients of 80H or 8000H. 


The iAPX 286 can generate the largest 
negative number as a quotient for IDIV 
instructions. The iAPX 86 will instead 
cause exception 0. 


Do not Rely on NMI Interrupting NMI 
Handlers. 
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15. 


16. 


17. 


After an NMI is recognized, the NMI 
input and processor extension limit error 
interrupt is masked until the first IRET 
instruction is executed. 


The NPX error signal does not pass 
through an interrupt controller (an 
8087 INT signal does). Any interrupt 
controller-oriented instructions for the 
iAPX 86/20 may have to be deleted. 


If any real-mode program relies on 
address space wrap-around (e.g. 
FFF0:0400=0000:0300), then external 
hardware should be used to force the 
upper 4 addresses to zero during real 
mode. 


Do not use I/O ports 0OF8-OOFFH. 
These are reserved for controlling 80287 
and future processor extensions. 


& 


: 7 , 1, re We is 
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APPENDIX E 
iAPX 286/386 SOFTWARE COMPATIBILITY CONSIDERATIONS 


This appendix describes the considerations 
required in designing an Operating System for 
the protected mode iAPX 286 so that it will 
Operate on an iAPX 386. An iAPX 286 
Operating System running on the iAPX 386 
would not use any of the advanced features 
of the iAPX 386 (i.e., paging or segments 
larger than 64K), but would run iAPX 286 
code faster. Use of the new iAPX 386 features 
requires changes in the 1:APX 286 Operating 
System. 


The iAPX 386 is no different than any other 
software compatible processor in terms of 
requiring the same system environment to run 
the same software; the i1APX 386 must have 
the same amount of physical memory and 
I/O devices in the system as the iAPX 286 
system to run the same software. Note that 
an iAPX 386 system requires a different 
memory system to achieve the higher 
performance. 


The iAPX 286 design considerations can be 
generally characterized as avoiding use of 
functions or memory that the 1APX 386 will 
use. The exception to this rule is initialization 
code executed after power up. Such code must 
be changed to configure the 1APX 386 system 
to match that of the 1:APX 286 system. 


The following are iAPX 286/386 software 
compatibility design considerations: 


1. Isolate the protected mode initialization 
code. 


System initialization code will be required 
on the iAPX 386 to program operating 
parameters before executing any signifi- 
cant amount of 1:APX 286 software. The 
iAPX 286 initialization software should 
be isolated from the rest of the Operating 
System. 
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The initialization code in Appendix A is 
an example of isolated initialization code. 
Such code can be extended to include 
programming of operating parameters 
before executing the initial protected 
mode task. | 


Self-modifying code requires cache 
flushes. 


The code cache of the iAPX 386 requires 
consideration in the Operating System to 
support special cases of self-modifying 
code. In general, self-modifying code will 
not work on iAPX 386 with caching 
enabled. | 


Debuggers or loaders that change 
instructions (by overlaying data segments 
over code segments) should use an 
Operating System call to flush the cache. 
An iAPX 286 Operating System would 
do nothing with this call. An alternative 
approach is for the iAPX 286 Operating 
System to flush the cache automatically 
(do nothing on an iAPX 286) after 
subroutines or Operating System calls 
known to modify code segments. 


Avoid wraparound of iAPX 286 24-bit 
physical address space. 


Since the iAPX 386 has a larger physical 
address space, any segment whose base 
address is greater than FFO000 and whose 
limit is beyond FFFFFF will address the 
seventeenth megabyte of memory in the 
iAPX 386 32-bit physical address space 
instead of the first megabyte on an 1APX 
286. 7 


No  expand-down segments should 
have a base address in the range 
FFOOOOI-FFFFFF. No expand-up 
segments should wrap around the iAPX 
286 address space (the sum of their 


base and limit is in the 


000000-O00FFFE). 


Zero the last word of every iAPX 286 
descriptor. | 


The iAPX 386 uses the last word of each 
descriptor to expand the base address and 
limit fields of segments. Placing zeros in 
the descriptor will cause the iAPX 386 to 
treat the segments the same way as an 
iAPX 286 (except for address space 
wraparound as mentioned above). 


| Use only 80H or OOH for invalid 
descriptors. 


range 


The iAPX 386 uses more descriptor types 


than the iAPX 286. Numeric values of 


8-15 in bits 3-0 of the access byte for 
control descriptors will cause a protec- 
tion exception on the iAPX 286, but may 
be defined for other segment types on the 
iAPX 386. Access byte values of 80H and 
OOH will remain undefined descriptors on 
_ both the iAPX 286 and the iAPX 386. 


Put error interrupt handlers in reserved 
interrupts 14, 15, 17-31. 


~ Some of the unused, Intel-reserved inter- 
rupts of the iAPX 286 will be used by the 
iAPX 386 (i.e., page fault or bus error). 
These interrupts should not occur while 
executing an iAPX 286 operating system 
on an iAPX 386. However, it is safest to 
place an interrupt handler in these inter- 
-rupts to- print an error message and stop 
the system if they do occur. 


Do not change bits 15—4 of MSW. 


The iAPX 386 uses some of the undefined 
bits in the machine status word. iAPX 
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286 software should ignore bits 15—4 of 
the MSW. To change the MSW on an 
iAPX 286, read the old value first with 
LMSW, change bits 3-0 only, then write 
the new value with SMSW. 


Use a restricted LOCK protocol for 
multiprocessor systems. 


The iAPX 386 supports the iAPX 86/286 
LOCK functions for simple instructions, 


_ but not the string move instructions. Any 


need for locked string moves can be satis- 
fied by gaining control of a status 
semaphore before using the string move 
instruction. Any attempt to execute a 
locked string move will cause a protec- 
tion exception on the iAPX 386. 


The general iAPX 286 LOCK protocol 
does not efficiently extend to large multi- 
processor systems. If all the processors in 


' the system frequently use the iAPX 


86/286 LOCK, they will prevent other 


processors from accessing memory and 


thereby impact system performance. 


Access to semaphores in the future, including 
current iAPX 286 Operating Systems, should 
use a protocol with the following restrictions: 


Be sure the semaphore starts at a physi- 
cal memory address that is a multiple 
of 4. 


Do not use string moves to access the 
variable. | 


All accesses by any instruction or I/O 
device (even simple reads or writes) must 
use the LOCK prefix or system LOCK 
signal. | 


AAA, 3-28, B-14, C-7 
AAD, 3-28, B-15, C-7 
AAM,’ 3-28, B-16, C-7 
AAS, 3-28, B-17, C-7 
ADC, 3-2, B-18, C-7 
ADD, 3-7, B-18, C-7 
Addressing Modes, 2-15 
Based Indexed Mode, 2-20 
Based Indexed Mode with Se 
2-20 
Based Mode (on BX or BP 
Registers), 2-20 
Direct Address Mode, 2-20 
Displacement, 2-16, B-1, B-2 
Immediate Operand, 2-16, B-1, B-2, B-4, 
B-5 
Indexed Mode (by DI or SI), 2-20 
Opcode, 2-16, 2-21 
Register Indirect Mode, 2-20 
Summary, 2-20 
AF Flag, 
(see Flags) 


AH Register, 2-7, 2-17, 3-9, 3-25, 3-27, 3-28, 


B-56, C-47 


AL Register, 2-7, 2-17, 3-9, 3-25, 3-27, 3-28, 


3-30, B-73 
AND Instruction, 2-23, 3-10, B-19 
Arithmetic Instructions, 3-31 
ASCII 
(see Data Types), 
AX Register, 2-6, 2-7, 2-12, 2-16, 3-8, 3-9, 
3-17, 3-24, 3-30, B-73 


Based Index Mode 
(see Addressing Modes), 
Based Index Mode with Displacement 
(see Addressing Modes), 
Based Mode 
(see Addressing Modes), 
BCD Arithmetic 
(see Data Movement Instructions), 
BH Register, 2-7, 2-17, 3-9 


INDEX 


lIndex-1 


BL Register, 2-7, 2-17, 3-9, 3-17 
BOUND Instruction 
(see Extended Instruction Set), 
Bound Range Exceeded (Interrupt 5), 
(see Interrupt Handling), 

BP Register, 2-6, 2-7, 2-10, 2-11, 2-12, 
2-17, 2-19, 3-8, 3-9, 3-10, 3-15, 3-17, 
3-19, 3-25, 3-26 

Breakpoint Interrupt 3, 

(see Interrupt Henge) 

BUSY, 3-31 

BX Register, 2-6, 2-7, 2-10, 2-11, 2-12, 2-17, 
2-19, 3-8, 3-9, 3-10, 3-15, 3-17, 3-19, 
3-25, 3-26 

Byte 

(See Data Types), 


CALL Instructions, 3-18, 3-20, 7-18, B-22, 
B-23, B-24, C-43 

Call Gates, 7-16 through 7-20, C-47 

CBW Instructions, 3-17, B-25, C-46 

CF (Carry Flag) 

(see Flags), 

CH Register, 2-7, 2-17 

CL Register, 2-7, 2-17, 3-11 through 3-16 

CLC Instruction, 3-26, B-26, C-49 

CLD Instruction,2-15, 3-27, B-27, C-49 

CLI Instruction, 2-15, 3-29, B-28, C-49 

CLTS Instruction, 10-4, 10-5, B-29, C-49 

CMDS Instruction, 3-5, 3-24, 3-25, B-32, 
C-46, C-47 

CMP Instruction, 3-17, B-36, C-45 

Code Segment Access, 7-12, 7-13, 11-1, 11-2 

Comparison Instructions, 3-31 

Conforming Code Segments, 7-12, 7-13, 

11-1, 11-20 

Constant Instructions, 3-31 

Control Transfers, 7-15, 7-16 

CPL (Current Privilege Level), - 10, 7-14, 
C-43 

CS Register, 2-7, 2-8, 2-17, 2-18, 3-18, 3-19, 
3-20, 5-5 


INDEX 


CWD Instruction, 3-17, B-33, C-36 
CX Register, 2-6, 2-7, 2-17, 3-18, 
3-24 through 3-26 


DAA, 3-28, B-34, C-45 
DAS, 3-28, B-35, C-45 
Data Management Instructions,4-1, 4-2, 5-5 
Address Manipulation, 3-25, 3-26 
Arithmetic Instructions, 3-6 | 
Addition Instructions, 3-7 
Division Instructions, 3-9 
_ Multiplication Instructions, 3-8 
Subtraction Instructions, 3-7 
BCD Arithmetic, 2-3, 2-4, 2-6, 3-22, 3-24 
Character Transfer and String 
Instructions, 3-23 
Repeat Prefixes, 3-23, 3-24 
String Move, 3-23, 3-24, 3-25 
String Translate, 3-23 
Control Transfer Instructions,3-17 
Conditional Transfer, 3-21, 3-22 
Software Generated Interrupts, 3-23 
Interrupt Instructions, 3-23 
Unconditional Transfer, 3-18, 3-19, 3-20 
Flag Control, 3-26, 3-27 
Logical Instructions, 3-10 
Shift and Rotate Instructions, 
3-10 through 3-16 
Type Conversion Instructions, 3-17 
Processor Extension Intructions, 3-30, 3-31 
- Processor Extension Overview, 3-30, 
— 3-3] 
Test and Compare Instructions, 3-17 
Trusted Instructions, 3-29 
Input/Output Instructions, 3-29, 3-30 
Stack Manipulation, 3-1 through 3-5 
Data Transfer Instructions, 3-31 
Data Types, 2-1 through 2-6 _ 
ASCII, 2-3, 2-5, B-14 through B-17, C-45, 
C-46 
BCD, 2-3 
Byte, 2-1, 2-2, 2-3 
Floating Point, 2-3 
Integer, 2-3. 
Packed BCD, 2-3 


Pointer, 2-3 
Strings, 2-3 
Word, 2-2, 2-3 
DEC Instruction, 2-16, 3-8, B-36, C-45 
Dedicated Interrupt Vector, 5-5 
Descriptor Table, 6-4, 6-5, 6-6 — 
Descriptor Table Register, 6-6, 6-9, 7-6, 
10-1, 10-2, 10-3 . 
DF Flag, 
(see Flags), 
DH Register, 2-7, 2-17. 
DI Instruction, 2-6, 2-10, 2-11, 2-15 through 
2-19, 3-18, 3-23 through 3-26, 4-1 
Direct Address Mode | 
(see Addressing Modes), 
DIV Instruction, 1-24, 3-9, B-37, C-45 
Divide Error (Interrupt 0) 
(see Interrupt Handling), 
DL Register, 2-7, 2-17 
DPL (Descriptor Privilege Level), 6-8, 7-10 
through 7-21, 8-4, 9-4, 11-1, 11-4, C-43 
DS Register, 2-7, 2-8, 2-17, 2-18, 3-24, 5-7, 
B-58 . 


DX Register, 2-6, 2-7, 2-17, 3-8, 3-9, 3-17, 


3-18, 3-25, 3-26, 3-30, 4-1. 


EM (Bit in MSW), 10-4, 10-6 | 
ENTER Instruction, 4-1 through 4-5, B-38, 
C-48 | 
ES Register, 2-7, 2-8, 2-11, 2-17, 2-18, 2-19, 

3-23, 3-24, 3-25, 4-1 
ESC (Instructions for Coprocessor), 3-30, 
C-44 | 
Extended Instruction Set (Chapter 4), — 
4-1 through 4-6 
ENTER Build Stackframe, 4-1 through 4-5, 
B-38, C-48 | 
LEAVE Remove Stackframe, 4-1, 4-5, 
B-61 7 
Repeated IN and OUT String Instructions, 
4-1, 4-2, B-89 — 


Flag Register, 2-14, 2-15, 3-5, 3-6, B-83, 
B-86 rr, | 
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Flags, 2-14, 2-15, 3-5 through 3-8, 3-25, 
B-56 

see also Use of Flags with Basic 

Instructions, 2-14, 2-15, 3-5 through 
3-8, 3-25, B-56 

AF (Auxilliary Carry Flag), 2-14, 2-15, 
3-5 through 3-10, 3-17, 3-25, 3-27, 
3-28 

CF (Carry Flag), 2-14, 3-5 through 3-17, 
3-21, 3-25 through 3-27, B-26, B-30, 
B- 88, B-100 

DF (Direction Flag), 2-14, 2-15, 32 6, 3-7, 
3-24 through 3-27, 4-2, B-27, B-100 

IF (Interrupt Flag), 2-14, 2-15, 3-6, 3-7, 
3-29, 5-5, 5-7, 9-2, 9-3, B-28, B-102, 
C-49 

IOPL (Privilege Level), 2-14, 3-6, 3-29, 
3-30, B-28, B-100 

NT (Nested Task Flag), 2-14, 3-6, 8-7, 
9-3, 9-5, 9-7, 10-1 

OF (Overflow Flag), 2-14, 2-25, 3-5 
through 3-11, 3-17, 3-21, 3-25 

PF (Parity Flag), 2-14, 2-15, 3-6 through 
3-11, 3-17, 3-21, 3-25, 3-27 

SF (Sign Flag), 2-14, 3-5, 3-7 through 
3-11, 3-17,.3-21, 3-25 

TF (Trap Flag), 2-14,:2-15, 3-6, 3-7, 9-13 

TS (Task Switch), 10-4, 10-5, B-29, C-49 

ZF (Zero Flag), 2-14, 3-5 through 3-11, 
3-21, 3-22, 3-24, 3-25, 3-27, 11-3 

Floating Point 
(see Data Types), 


Gates, 7-16 
GDT, 6-4 through 6-7, 6-10, 6-11, 6-12, 7-5 
- through 7-8, 7-17, C-43 
GDTR (Global Descriptor Register), 6-4 
through 6-7, 6-11, 6-12, 10-1, 10-3, B-97 
General Protection Fault (Interrupt 3), 
(see Interrupt Handling), 
General Registers, 2-6 . 


HALT Instruction, 2-16, 3-29, 10-5, B- 39, 
C-49 

Hierarchy of 86, 186, 286 Instruction Sets, 
2-25, 2-26 © 


Basic Instruction Set, 2-26, 3-1 through 
3-3] 

Extended Instruction Set, Chapter 4 

Instruction Set Overview, 2-25, 2-26 

System Control Register Set, Chapters 4 
through 10 

HLT Instruction, 
(see HALT Instruction), 


[/O, 2-22 
IDIV Instruction, 2-24, 3-9, 9-3, B-40, C-46 
IDT (Interrupt Descriptor Table), 9-1 
through 9-9, 9-25, 10-2, B-62, C-49 
IDTR (Interrupt Descriptor Table Register), 
9-1, 10-3 
IF (Interrupt Flag), 
(see Flags), 
IMUL Instruction, 3-8, 3-9, B-41, C-45 
IN Instruction, 2-22, 3-29, 3-30, B-42, C-49 
INC Instruction, 2-16, 3-7, B-43, C-45 
INDEX Field, 6-4, 6-7, 6-10, 6-12, 7-7 
Indexed Mode, 2-20, 2-21, 2-22 
Index, Pointer and Base Register, 2-10 
through 2-14 
Input/Output, 2-22, 2-23 
Instructions, 3-29, 3-30 
Memory Mapped I/O, 2-23 
Restrictions in Protected Mode, 3- 29, 3-30 
Separate I/O Space, 2-22 
Size of I/O Space, 3-22 
INS/INSB/INSW Instruction, 3-30, 4-1 
Instruction Sets, C-43 
(see Hierarchy of 86, 186, 286 Instruction 
Sets), 
INT Instruction, | 
(see Interrupt Handling), 
Integer 
(see Data Types), | 
Interrupt Handling, 2-23, 2-24, 5-3 through 
5-7, 9-2 through 9-13 | 
Interrupt Priorities, 5-4 | 
Interrupt 0 Divide Error, 2-24, 3-9, 5-5, 
5-6, 9-9, 9-13 
Interrupt 1 Single-Step, 5-5, 5-6, 9-9, 9-13 
Interrupt 2 Nonmaskable, 5-5, 5-6, 9-9, 
9-13 — 
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Interrupt 3 Breakpoint, 2-24, ,5-5, 5-6, 9-9 
Interrupt 4 INTO Detected Overflow, 2-24, 
- 5-5, 5-6, 9-9 | 
Interrupt 5 BOUND Range Exceeded, 
2-24, 4-6, 5-5, 5-6, 9-9, 9-13, B-21 
Interrupt 6 Invalid Opcode, 2-24, 5-6, 9-9, 
9-10 
Interrupt 7 Processor Extension Not 
Available, 5-6, 5-7, 9-9 
Interrupt 8, Interrupt Table Limit 
Too Small, 5-6, 5-7, 9-9, 9-10 
Interrupt Vectors, 5-5, 5-6, 5-7 . 
Reserved Vectors; 5-5,5-6 
Interrupt Procedures, 5-4, 5-5 . 
Interrupt Vector Table, 5-3 
Interrupts and Exceptions, 
(see Interrupt Handling and Interrupt — 
- Priorities), 
INTO Detected Overflow (Interrupt 4), 
(see Interrupt Handling cule Interrupt | 
Priorities), 
INTO Instruction, 2-24, ce 23, B- 45, C- 48 
INTR,, 5-3, 5-4, 9-1, 9-2, 9-7, 11-7. 
Invalid opcode (Interrupt 6) , 
(see Interrupt Handling and Inter euPr 
| Priorities ), 
IOPL (J/O Privilege UN). 
(see Flags), : 
IP Register, 2-7, 2-8, 3- 18, 3- 19, 3-20, 5-4 
IRET Instruction, 3-18, 3-20, 5-5, 8-5, 8-7, 
8-8, 9-2 through 9-8, 9-13, B-48, C-43, 
C-48 


JCXZ Instruction, 3-22, B-51, B-52, C-48 
JMP Instruction, 3-18, 3-19, B-53, B-54, 
B-55, C-43, C-47 


LAHF Instruction, 3-27, B-56, C-44: — ~ 

LAR Instruction, 11-3, B-57, C-49 

LDS Instruction, 3-26, 5-1, B-58, C-44. 

LDT (Local Descriptor Table), 6-4 through 
6-7, 6-10, 6-12, 7-5 through 7-8, 7-17, 
8-6, 8-8, 8-9, 9-11, 9-12, 10-1, 10-2, 

10-3, 11-6 . 
LEA Instruction, 3-26, ce 7, B-60, C-49 
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LEAVE Instruction, 4-1, 4-5, B-61, C-48 

LES Instruction, 3-26, 5-1, B-58, C-44 

LGDT Instruction, 6- 1, 6- L2, 10- 3, T0- 5, 
B-62, C-49 | 

LIDT Instruction, 5-6, 5- 7: 10- 3, 10-5, B- 62, 
C-49 

LLDT Instruction, 6-12, 10-3, 10- a B-63, 
C-49 

LMSW Instruction, 10-4, 10-5, B64. C-49 

LOCK Prefix, 3-29, B-65, C-43, C-49 

LODS/LODSB/LODSW, 3-25, B-66, C-46 

LOOP Instruction, 3-5, 3-21, 3-22, B-17 

LOOPE Instruction, 3-22, B-67, C-48 

LOOPNE, 3-22, B-67, C-48 | 3 

LOOPNZ, 3-22, B-67, C-48 

LSL Instruction, 11-3, B-68, C-49 


Memory, 
Physical Size, 2-1 | 
Segmentation, 2-1 
Implied Usage, 2-11 _ | : 
Interpretation in Protected Mode, 2- 8, 
me ae | 
Interpretation in Real | Mode, 2: 8, 2-9, 
5-1, 5-2, 5-3 : 
Modularity, 2-1 
‘Virtual Size, 2-1 
Memory Addressing. Modes, ZA through 
2-21 
Memory Management, 6-1 through 6-1 1, 7-4 
Task Managment, 6-1, 6-2, Chapter 8 _ 
Context Switching (Task Switching), 
8-4, 8-5, 8-6 
~ Overview, 6-2 | 
Meon, Management Registers, 6-8 through 
6-11 | 
Memory Mapped I/ O 
(see Input/Output), . 
Memory Mode, aa 
Memory Segmentation. anal Segment. 
Registers, 2-7, 2-8, 2-9 
MOV Instructions, 2-16, 2- 23,.351,:B- 70,. 
C-44 
MOVS Instructions, 3-24, B-72, C- 47 
MOVSB Instructions, 3-24, B-72 | 


MOVSW Instruction, 3-24, 3-25, B-72 

MSW Register, 5-7, 8-5, 10-4, 10-6, 10-7, 
B-64 

MUL Instruction, 3-8, B-73, C-45 


NEG Instruction, 3-10, B-74, C-45 | 
NMI (Non maskable Interrupt), 5-5, 9-1, 
9-2, 9-3, 9-9, 9-10 
Nonmaskable (Interrupt 2) | 
(see Interrupt Priorities), 
NOP Instruction, 2-16, 2-17, B-75 
NOT Instruction, 3-10, B-76, C-46 
Not Present (Interrupt 11) 
(see Interrupt Priorities), 
NPX Processor Extension, 3-30, 3-31 
NT (Nested Task Flag) 
(see Flags), 
Numeric Data Processor Instructions, 3-31 


OF (Overflow Flag) 
(see Flags), 
Offset Computation, 2- 19 
Operands, 2-16, 2-17 
OR Instruction, 2-23, 3-10, B-79, C-46 
OUT /OUTW, 2-23, 3-30, 10-5, B-78, C-44 


OUTS/OUTSB/OUTSW Instruction, 3-30, 


4-1, B-79, C-46 


PF (Parity Flag) 
(see Flags), 
Pointer 
(see Data Types), 
POP Instruction, 3-4, B-80, C-49 
POPA Instruction, 3-4, 3-5, B-82, C-49 
POPF Instruction, 3-27, 3-29, B-83, C-49 
Processor Extension Error (Interrupt 6) 
(see Interrupt Handling and Interrupt 
Priorities), 
Processor Extension Not Available 
(Interrupt 7) 
(see Interrupt and Interrupt Priorities), 
Processor Extension Segment Overrun 
Interrupt (Interrupt 9) 
(see Interrupt and Interrupt Priorities), 
Protected Mode, 1-3, 1-4, 6-2 
Protected Virtual Address Mode, 1-2, 1-4 


Protection Implementation, 7-2 through 7-10 
Protection Mechanisms, 1-3, 1-4 

Protection Overview, 1-3 

PUSH, 2-12, 3-1, 3-2, B-84, C-44 

PUSHA, 3-3, 3-4, B-85, C-44 

PUSHF, B-86, C-44 


Real Address Mode, 6-1, 6-2 
Register, 
Base Architecture Diagram, 2-7 \ . 
Base Register BX, 2-7, 2-17, 2- 19, 2-20, 
3-1, 3-4, 3-7, 3-8, 3-10, 3-15; 3-17, 
3-19, 3-21, 4-6 | 
Flags Register, 2-14, 2-15 
General Registers, 2-6, 2-7 
Index Registers DI, SI, 2-10 
Overview, 2-6 
Pointer Registers BP and SP, 2-10, 2-23 
Segment Registers, 2-7, 2-8 
Status and Control, 2-14, 2-15 
Register Direct Mode, 2-20 
Register and Immediate Modes, 2-17 
Register Indirect Mode, 2-20 
(see Addressing Modes), 
Reserved Interrupt Vectors 
(see Interrupt Handling and Interrupt 
Priorities ), _ 
RESET, 10-6 
RCL Instruction, 3-15, 9-9, B-87, C- 41 
RCR Instruction,3-16, B-87, C-46 
REP Prefix, 3-24, 4-1, 4-2, B-89 — 
REPE Prefix, 3-25, B-89 | 
REPNE Prefix, 3-25, B-89 
REPNZ Prefix, 3-25 
REPZ Prefix, 3-25 
RET Instructon, 2-16, 3-18, 3-20, B-91, C-47 
ROL Instruction, 3-13, B-87, C-46 
ROR Instruction, 3-14, B-87, C-46 
RPL, 7-14, 8-6, 9-6, 11-3 


SAL Instruction, 3-4, B-44, C-46 

SAR Instruction, 3-12, B-94, C-46 

SBB Instruction, 3-5, B-95, C-45 

SCAS Instruction, 3-5, 3-24, 3-25, B-96, 
C-4] 
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SEG (Segment Override Prefix), 2-18 
Segment Address Translation Registers, 6-9, 
6-10, 6-11 
Segment Descriptor, 7-10, 7-11, 7-12 — 
Segment Overrun Exception (Interrupt 13) 
(see Interrupt Handling and Interrupt 
Priorities), 
Segment Selection, 2-17, 2-18, 2-19 
SF (Sign Flag) 
(see Flags), 
SGDT Instruction, 6-11, 10-3, B-97, C-49 
SHL Instruction, 3-11, B-94, C-46 
SHR Instruction, 3-11, 3- 12, B-97, C-46 
SI Register, 2-6, 2-10, 2-11, 2-15, 2-17, 2-19, 
3-9, 3-18, 3-24, 3-25, 3-26, 4-1 
SIDT Instruction, 10-3, B-97, C-49 
Single Step (Interrupt 1) 
(see Interrupt Priorities), 
SMSW Instruction, 10-4, B-99, C-49 
SP Register, 2-7, 2-10, 2-11, 2-12, 2-19, 
3-25, 3-26, 3-27, 4-3, 7-20, 7-21, 10-7 © 
SS Register, 2-7, 2-10, 2-11, 2-12, 2-19, 5-7, 
6-9, 6-11, 7-12, 7-13, 7-14, 7-16, 7-20, 
7-21, 7-22, 8-4, 9-12, 10-7 
Status an Control Registers, 2-14, 2 15 
Stack Flag ; 
(see Flags), 
Stack Fault (Interrupt 12) 
(see Interrupt Priorities), 
Stack Manipulation Instructions, 3-1 through 
3-5 
Stack Operations, 2-10 
Grow Down, 2-11 
Overview, 2-10 through 2-14 
Segment Register Usage, 2-11 
_ Segment Usage Override, 2-11 


Stack Frame Base Pointer BP, 2- 11 

Top of Stack, 2-10, 2-11 — 

TOS, 2-10, 2-11. 

with BP and SP Registers, 2-10 
Status Flags, 3-5 
STC Instructions, 3-26, B-100, C-49 
STD Instructions, 3-27, B-101, C-49 
STI Instructions, 2-15, 3-29, B-102, C-49 
String Instructions, 3-23 through 3-25 

_ SUB Instruction, 3-7, 3-8 B-105, C-45 

System Address Registers, 6-11, 6-12 
System Initialization, 10-6, 10-7 
System Control Instructions, 10-3, 10-4 


TEST Instruction, 2-23, 3-17, B-106, C-46 
TF (Trap Flags) 
(see Flags), 
TOS (Top of Stack) 
(see Stack Operation), 
TR (Task Register), 7-6 
Transcendental Instruction, 3-37 - 
TSS (Task State Segment), 8-1 through 8-8 


Use of Flags with Basic Instructions, 3-5, 
3-6 


Virtual Address, 6-2, 6-3, 6-4 

WAIT Instruction, 3-31, B-108, C-49 
XCHG Instruction, 3-1, B-109, C-44 
XLAT Instruction, 3-23, B-110, C-49 | 
XOR Instruction, 2-6, 3-10, B-111, C-46 


ZF (Zero Flag) 
(see Flags), 
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Numeric Supplement 


PREFACE 


AN INTRODUCTION TO THE iAPX 286 


This supplement describes the 80287 Numeric Processor Extension (NPX) for the iAPX 286 micro- 
processor. Below is a brief overview of iAPX 286 concepts, along with some of the nomenclature used 
throughout this and other Intel publications. 


The iAPX 286 Microsystem 


The 1:APX 286 is a new VLSI microprocessor system with exceptional capabilities for supporting large- 
system applications. Based on a new-generation CPU (the Intel 80286), this powerful microsystem is 
designed to support multiuser reprogrammable and real-time multitasking applications. Its dedicated 
system support circuits simplify system hardware; sophisticated hardware and software tools reduce 
both the time and the cost of product development. 


The iAPX 286 is a virtual-memory microprocessor with on-chip memory management and protection. 
The iAPX 286 microsystem offers a total-solution approach, enabling you to develop high-speed, inter- 
active, multiuser, multitasking—and multiprocessor—systems more rapidly and at higher performance 
than ever before. " 


e Reliability and system up-time are becoming increasingly important in all applications. Information 
must be protected from misuse or accidental loss. The iAPX 286 includes a sophisticated and flexi- 
ble four-level protection mechanism that isolates layers of operating system programs from appl 
cation programs to maintain a high degree of system integrity. 


‘© «6The iAPX 286 provides 16 megabytes of physical address space to support today’s application 
requirements. This large physical memory enables the iAPX 286 to keep many large programs and 
data structures simultaneously in memory for high-speed access. 


° For applications with dynamically changing memory requirements, such as multiuser business 

systems, the iAPX 286 CPU provides on-chip memory management and virtual memory support. 

_ On an iAPX 286-based system, each user can have up to a gigabyte (2*° bytes) of virtual-address 

space. This large address space virtually eliminates restrictions on the number or size of programs 
that may be part of the system. 


e large multiuser or real-time multitasking systems are easily supported by the iAPX 286. High- 
performance features, such as a very high-speed task switch, fast interrupt-response time, inter-task 
protection, and a quick and direct operating system interface, make the iAPX 286 highly suited to 
multiuser/multitasking applications. 


° The 1:APX 286 has two operating modes: Real-Address mode and Protected-Address mode. In Real- 
Address mode, the iAPX 286 is fully compatible with the iAPX 86, iAPX 88, iAPX 186, and iAPX 
188 microprocessors; all of the extensive libraries of iAPX 86 and iAPX 88 software execute four 
to six times faster on the iAPX 286, without any modification. 


¢ In Protected-Address mode, the advanced memory management and protection features of the iAPX 

286 become available, without any reduction in performance. Upgrading iAPX 86 and iAPX 88 

application programs to use these new memory management and protection features usually requires 

only reassembly or recompilation (some programs may require minor modification). This compati- 

— bility between 1APX 286 and iAPX 86 processor families reduces both the time and the cost of 
software development. 
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Microsystem Nomenclature 


Over the last several years, the increase in microcomputer system and software complexity has given 
birth to a new family of microprocessor products oriented towards solving these increasingly complex 
problems. These new generations of microprocessors are both powerful and flexible, and include many 
processor enhancements, such as numeric (floating-point) extensions, I/O processors, and operating- 
system functionality in silicon. 


As Intel’s product line has grown and evolved, its microprocessor product numbering system has evolved 
into a comprehensive numbering scheme, while still including the basis of previous 8086 nomenclature. 


Intel has adopted the following prefixes to provide differentiation and consistency among its Micro- 
system 80-related product lines: | 


i1APX—Processor Series 
iRMX—Operating Systems 
iSBC—Single-Board Computers 
iSBX—MULTIMODULE Boards | 


Concentrating on the iAPX series, several processor families are defined: 


iAPX 86—8086 CPU family 
iAPX 88—8088 CPU family 
iAPX 186—80186 CPU family 
iAPX 286—80286 CPU family 


Each processor family consists of the CPU (e.g., 80286), processor extensions (80287 for the iAPX 
286), and bus support circuits, such as the 82284 Clock Generator and 82288 Bus Controller. With 
additional suffix information, configuration options for particular iAPX systems can be identified, such 
as the inclusion of Numeric Processor Extensions and I/O Processors. For the iAPX 286 family: 


iAPX 286/10—indicates 80286 CPU alone | 
iAPX 286/20—indicates 80286 CPU + 80287 NPX 


This nomenclature is intended as an addition to Intel’s regular part-numbering scheme. The series-level 
nomenclature describes the functional capabilities provided by specific configurations of the iAPX 
processor families. The hardware used to implement each functional configuration is still described by 
referring to the parts involved (as is the case for most of the 80287 information described in this 
supplement). 


This improved nomenclature provides a more meaningful view of system capability and performance 
within the evolving Microsystem 80 architecture. 


The Organization of This Supplement 


This supplement describes the 80287 Numeric Processor Extension (NPX) for the iAPX 286 micro- 
processor. The material in this supplement is presented from the perspective of software designers, 
both at an applications and at a systems software level. 


e Chapter One, “Overview of Numeric Processing,” gives an overview of the 80287 NPX and reviews 
the concepts of numeric computation using the 80287. 


. Chapter Two, “Programming Numeric Applications,” provides detailed information for software 
designers generating applications for i:APX 286/20 systems (systems containing an 80286 CPU with 
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an 80287 NPX). The iAPX 286/20 instruction set mnemonics are explained in detail, along with a 
description of programming facilities for 1APX 286/20 systems. A comparative iAPX 286/20 
programming example is given. 

Chapter Three, ““System-Level Numeric Programming,” provides information of interest to systems 
software writers, including details of the iAPX 286/20 architecture and operational characteristics. 


Chapter Four, “Numeric Programming Examples,” provides several detailed programming examples 
for the iAPX 286/20, including conditional branching, the conversion between floating-point values 
and their ASCII representations, and the calculation of several trigonometric functions. These 
examples illustrate assembly-language programming on the 80287 NPX. 

Appendix A, “Machine Instruction Encoding and Decoding,” gives reference information on the 
encoding of NPX instructions. 


Appendix B, “Compatability between the 80287 NPX and the 8087,” describes the differences 
between the 80287 and the 8087. 


Appendix C, “Implementing the IEEE P754 Standard,” gives details of the IEEE P754 Standard. 


Appendix D, “80287 80-Bit HMOS Numeric Processor Extension,” provides hardware details of 
the 80287 and the iAPX 286/20. 


The Glossary defines 80287 and floating-point terminology. Refer to it as needed. 


Related Publications 


To best use the material in this supplement, readers should be familiar with the operation and archi- 
tecture of iAPX 286 systems. The following manuals contain information related to the content of this 
supplement and of interest to programmers of 1APX 286/20 systems: 


Introduction to the iAPX 286, order number 210308 

iAPX 286 Programmer’s Reference Manual, order number 210498 
ASM 286 Assembly Language Reference Manual, order number 121924 
LAPX 286 Operating System Writer’s Guide, order number 121960 
LAPX 286 Hardware Reference Manual, order number 210760 
Microprocessor and Peripheral Handbook, order number 210844 
PL/M-286 User’s Guide, order number 121945 

80287 Support Library Reference Manual, order number 122129 


8050 Software Toolbox Manual, order number 122203 (includes information about 80287 Emulator 
Software) 
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CHAPTER 1 
OVERVIEW OF NUMERIC PROCESSING 


The 80287 NPX is a high-performance numerics processing element that extends the iAPX 286/10 
architecture by adding significant numeric capabilities and direct support for floating-point, extended- 
integer, and BCD data types. The iAPX 286/20 computing system (80286 CPU with 80287 NPX) 
easily supports powerful and accurate numeric applications through its implementation of the proposed 
IEEE 754 Standard for Binary Floating-Point Arithmetic. 


INTRODUCTION TO THE 80287 NUMERIC PROCESSOR EXTENSION 


The 80287 Numeric Processor Extension (NPX) is highly compatible with its predecessor, the earlier 
Intel 8087 NPX. 


The 8087 NPX was designed for use in iAPX 86-family systems. The 1:APX 86 was the first micro- 
processor family to partition the processing unit to permit high-performance numeric capabilities. The 
8087 NPX for this processor family implemented a complete numeric processing environment in 
compliance with the proposed IEEE 754 Floating-Point Standard. 


With the 80287 Numeric Processor Extension, high-speed numeric computations have been extended 
to iAPX 286 high-performance multi-tasking and multi-user systems. Multiple tasks using the numeric 
processor extension are afforded the full protection of the iAPX 286 memory management and protec- 
tion features. 


Figure 1-1 illustrates the relative performance of 8-MHz iAPX 86/20 and iAPX 286/20 systems in 
executing numerics-oriented applications. 
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Figure 1-1. Evolution and Performance of Numeric Processors 
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Performance 


Table 1-1 compares the execution times of several 80287 instructions with the equivalent operations 
executed in software on an 8-MHz 80286. The software equivalents are highly-optimized assembly- 
language procedures from the 80287 emulator. As indicated in the table, the 80287 NPX provides 
about 50 to 100 times the performance of software numeric routines on the 80286 CPU. An 8-MHz 
80287 multiplies 32-bit and 64-bit real numbers in about 11.9 and 16.9 microseconds, respectively. Of 
course, the actual performance of the NPX in a given system depends on the characteristics of the 
individual application. 


Although the performance figures shown in table 1-1 refer to operations on real (floating-point) numbers, 
the 80287 also manipulates fixed-point binary and decimal integers of up to 64 bits or 18 digits, respec- 
tively. The 80287 can improve the speed of multiple-precision software algorithms for integer opera- 
tions by 10 to 100 times. 


Because the 80287 NPX is an extension of the 80286 CPU, no software overhead is incurred in setting 
up the NPX for computation. The 80287 and 80286 processors coordinate their activities in a manner 
transparent to software. Moreover, built-in coordination facilities allow the 80286 CPU to proceed with 
other instructions while the 80287 NPX is simultaneously executing numeric instructions. Programs 
can exploit this concurrency of execution to further increase system performance and throughput. | 


Ease of Use 


The 80287 NPX offers more than raw execution speed for computation-intensive tasks. The 80287 
_ brings the functionality and power of accurate numeric computation into the hands of the general user. 


Like the 8087 NPX that preceded it, the 80287 is explicitly designed to deliver stable, accurate results 
when programmed using straightforward ° ‘pencil and paper” algorithms. The IEEE 754 standard 
specifically addresses this issue, recognizing the fundamental importance of making numeric compu- 
tations both easy and safe to use. 


For example, most computers can overflow when two single-precision floating-point numbers are multi- 
plied together and then divided by a third, even if the final-result is a perfectly valid 32-bit number. 
The 80287 delivers the correctly rounded result. Other typical examples of undesirable machine behav- 
ior in straightforward calculations occur when solving for the roots of a quadratic equation: 


—b + \/b? — 4ac 
2a 


Table 1-1. Numeric Processing Speed Comparisons 


Approximate Performance Ratios: 
Floating-Point Instruction 8 MHz iAPX 286/20 to 
8 MHz Protected Mode iAPX using E80287 


FADD ST,ST (Temp Real) Addition | 7 1: 42:102 
FDIV DWORD PTR (Single- reo IN) Division 1:266:358 
' FXAM (Stack(0) assumed) Examine 1:139:454 
_ FYL2X (Stack(0),(1) assumed) Logarithm 1: 99:155 
FPATAN (Stack(0) assumed) Arctangent 1:153:176 
F2XM1 (Stack(0) assumed) © : Exponentiation ee 1: 41: 56 
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or computing financial rate of return, which involves the expression: (1+i)". On most machines, 
straightforward algorithms will not deliver consistently correct results (and will not indicate when they 
are incorrect). To obtain correct results on traditional machines under all conditions usually requires 
sophisticated numerical techniques that are foreign to most programmers. General application 
programmers using straightforward algorithms will produce much more reliable programs using the 
80287. This simple fact greatly reduces the software investment required to develop safe, accurate 
computation-based products. 


Beyond traditional numerics support for scientific applications, the 80287 has built-in facilities for 
commercial computing. It can process decimal numbers of up to 18 digits without round-off errors, 
performing exact arithmetic on integers as large as 2°* or 10'*. Exact arithmetic is vital in accounting 
applications where rounding errors may introduce monetary losses that cannot be reconciled. 


The NPX contains a number of optional facilities that can be invoked by sophisticated users. These 
advanced features include two models of infinity, directed rounding, gradual underflow, and either 
automatic or programmed exception-handling facilities. 


These automatic exception-handling facilities permit a high degree of flexibility in numeric processing 
software, without burdening the programmer. While performing numeric calculations, the NPX 
automatically detects exception conditions that can potentially damage a calculation. By default, on- 
chip exception handlers may be invoked to field these exceptions so that a reasonable result is produced, 
and execution may proceed without program interruption. Alternatively, the NPX can signal the CPU, 
invoking a software exception handler whenever various types of exceptions are detected. 


Applications 


The NPX’s versatility and performance make it appropriate to a broad array of numeric applications. 
In general, applications that exhibit any of the following characteristics can benefit by implementing 
numeric processing on the 80287: 


e Numeric data vary over a wide range of values, or include nonintegral values. 

e Algorithms produce very large or very small intermediate results. 

e Computations must be very precise; i.e., a large number of significant digits must be maintained. 
e Performance requirements exceed the capacity of traditional microprocessors. 


¢ Consistently safe, reliable results must be delivered using a programming staff that i is not expert in 
numerical techniques. 7 


Note also that the 80287 can reduce software development costs and improve the performance of 
systems that use not only real numbers, but operate on multiprecision binary or decimal integer values 
as well. 


A few examples, which show how the 80287 might be used in specific. numerics applications, are 
described below. In many cases, these types of systems have been implemented in the past with 
minicomputers. The advent of the 80287 brings the size and cost savings of microprocessor technology 
to these applications for the first time. 


¢ Business data processing—The NPX’s ability to accept decimal operands and produce exact decimal 


results of up to 18 digits greatly simplifies accounting programming. Financial calculations that use 
power functions can take advantage of the 80287’s exponentiation and logarithmic instructions. 
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¢ Process control—The 80287 solves dynamic range problems automatically, and its extended preci- 
~ gion allows control functions to be fine-tuned for more accurate and efficient performance. Control 
algorithins implemented with the NPX also contribute to improved on and safety, while the 

- 80287’s speed can be exploited i in real-time operations. 


. Computer numerical control (CNC)—The 80287 can move and position machine tool heads with 


accuracy in real-time. Axis positioning also benefits from the hardware trigonometric support provided 
by the 80287. 


° Robotics—Coupling small size and modest power requirements with powerful computational abili- 
ties, the NPX is ideal for on-board six-axis positioning. 


¢ Navigation—Very small, lightweight, and accurate inertial guidance systems can be implemented 
with the 80287. Its built-in trigonometric functions can speed and simplify the calculation of position 
from bearing data. 


a. Graphics terminals—The 80287, can be used in ois terminals to isceily perform. many functions 
that normally demand the attention of a main computer; these include rotation, scaling, and inter- 
polation. By also using an 82720 Graphics Display Controller to perform high speed data transfers, 
very powerful and highly self-sufficient terminals can be built from a relatively small number of 
80286 family parts. | | | 


¢ Data acquisition—The 80287 can be used to scan, scale, and reduce large quantities of data as it is 
collected, thereby lowering plore pequirements and time required to process the data for analysis. 


The preceding examples are ania cowaid traditional numerics applications. There are, in addition, 
many other types of systems that do not appear to the end user as computational, but can employ the 
80287 to advantage. Indeed, the 80287 presents the imaginative system designer with an opportunity 
similar to that created by the introduction of the microprocessor itself. Many applications can be viewed 
as numerically-based if sufficient computational power is available to support this view. This is analo- 
gous to the thousands of successful products that have been built around “buried” MUCTODEOC ESS OFS 
even though the products themselves bear little resemblance to computers. | 


Upgradability 


The architecture of the iAPX 286/10 CPU is specifically adapted to allow easy upgradability 
to an iAPX 286/20 system, simply by plugging in the 80287 NPX. For this reason, designers of 
iAPX 286 if 10 systems may wish to incorporate the 80287 NPX into their designs i in order to offer two 
levels of price and performance at little additional cost. 


Two features of the 80286 CPU make the Heuen i support of upgradable iAPX 286 systems partic- 
ularly simple: 


¢ The 80286 can be programmed to recognize the presence of an 80287 NPX; that is, software can 
recognize whether it is running on an iAPX 286/10 or an iAPX 286/20 system. 


e After determining whether the 80287 NPX is available, the 80286 CPU can be instructed to let the 
NPX execute all numeric instructions. If an 80287 NPX is not available, the 80286 CPU can emulate 
all 80287 numeric instructions in software: This emulation is completely transparent to the appli- 
cation software—the same object code may be used by both iAPX 286/10 and 286/20 systems. No 
relinking or recompiling of application software is necessary; the same code will simply execute 
faster on the iAPX 286/20 than on the iAPX 286/10 Syston 


To facilitate this aetinn of upgradable iAPX 286/10 systems, Intel srovides a ei ae emulator for 
the 80287 that provides the functional equivalent of the.80287 hardware, implemented in software on 
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the 80286. Except for timing, the operation of this 80287 emulator (E80287) is the same as 
for the 80287 NPX hardware. When the emulator is combined as part of the systems software, the 
iAPX 286/10 system with 80287 emulation and the iAPX 286/20 (with 80287 hardware) are virtually 
indistinguishable to an application program. This capability makes it easy for software developers to 
maintain a single set of programs for both iAPX 286/10 and iAPX 286/20 systems. System manufac- 
turers can offer the NPX as a simple plug-in performance option without necessitating any changes in 
the user’s software. 


Programming interface 


The iAPX 286/20 is programmed as a single processor; all of the 80287 registers appear to a program- 
mer as extensions of the basic 80286 register set. The 80286 has a class of instructions known as 
ESCAPE instructions, all having a common format. These ESC instructions are numeric instructions 
for the 80287 NPX. These numeric instructions for the 80287 are simply encoded into the instruction 
stream along with 80286 instructions. 


All of the CPU memory-addressing modes may be used in programming the NPX, allowing convenient 
access to record structures, numeric arrays, and other memory-based data structures. All of the memory 
management and protection features of the CPU are extended to the NPX as well. 


Numeric processing in the 80287 centers around the NPX register stack. Programmers can treat these 
eight 80-bit registers as either a fixed register set, with instructions operating on explicitly-designated 
registers, or a classical stack, with instructions operating on the top one or two stack elements. 


Internally, the 80287 holds all numbers in a uniform 80-bit temporary-real format. Operands that may | 
be represented in memory as 16-, 32-, or 64-bit integers, 32-, 64-, or 80-bit floating-point numbers, or 
18-digit packed BCD numbers, are automatically converted into temporary-real format as they are 
loaded into the NPX registers. Computation results are subsequently converted back into one of these 
destination data formats when they are stored into memory from the NPX registers. 7 


Table 1-2 lists each of the seven data types supported by the 80287, showing the data format for each 
type. All operands are stored in memory with the least significant digits starting at the initial (lowest) 
memory address. Numeric instructions access and store memory operands using only this initial address. 
For maximum system performance, all operands should start at even memory addresses. 


Table 1-2. Numeric Data Types 


Significant 
Data Type cS Digits (Decimal) Approximate Range (Decimal) 


Word integer 32, 768 <= X S +32,767 
Short integer —2X10° = X S +2xX10° 


Long integer —9X10'° = X = +9X10" 

Packed decimal —99..99 =X = +99...99 (18 digits) 
Short real 8.43X10°? =|X| = 3.3710 
Long real - 4.19X10°" <1XI< 1.6710 
Temporary real 3.4 10°99? = 1X1 < 1.2 109% 
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Table 1-3 lists the 80287 instructions by class. No special programming tools are necessary to use the 
80287, because all of the NPX instructions and data types are auecly paEeaies by the ASM286 
Assembler and Intel’s appropriate Mer: level fp aneuages 


Sefiwares routines efi the iAPX 286 / 20 ) may be written in ASM296 meacaiblers or any of the e following 
higher-level languages: 


PL/M-286 
PASCAL-286 
FORTRAN-286 
C-286 


In addition, all of the development tools supporting the iAPX 86/20 (8086 and 8087) can fae be used 
to develop software for the iAPX 286/20 operating in Real-Address mode. 


All of these high-level languages provide programmers with access to the computational power and 
speed of the 80287 without requiring an understanding of the architecture of the 80286 and 80287 
chips. Such architectural considerations as concurrency and data synchronization are handled automat- 
ically by these high-level languages.’ For the ASM286 programmer, specific rules fs handling these 
issues are discussed in a later section of this supplement. 


nal cware mneriace 


As an extension of the iAPX 286/10 | processor, the 90287 is ane very much in noni with the 
80286 CPU. Four special status signals, PEREQ, PEACK, BUSY, and ERROR, permit the two 
processors to coordinate their activities. The 80287 NPX also monitors the 80286 S1, SO, COD/INTA, 
READY, HLDA, and CLK pins to monitor the execution of ESC instructions (numeric instructions) 
by the 80286. 


As shown in figure 1-2, the 80287 NPX is divided internally into two processing elements; the Bus 
Interface Unit (BIU) and the Numeric Execution Unit (NEU). The two units operate independently 
of one another: the BIU receives and decodes instructions, requests operand transfers with memory, 
and executes processor control instructions, whereas the NEU processes individual numeric 
instructions. a | ed | : 


Table 1-3. Principal NPX Instructions 


Instruction Types 


Data Transfer Load (all data types), Store (all data types), Exchange 


Arithmetic Add, Subtract, Multiply, Divide, Subtract Reversed, Divide 
_ Reversed, Square Root, Scale, Remainder, Integer Part, Change 
Sign, Absolute Value, Extract 


Comparison -. Compare, Examine, Test 
_Transcendental _ Tangent, Arctangent, 2% —1, YeLogelX - + 1), YeLoga(X) — 
Constants _. 0,1, 7, Log;.2, Log.2, Log210, Log.e | 


Processor Control Load Control Word, Store Control Word, Store Status Word, 
Load Environment, Store Environment, Save, Restore, Clear 
ExCeRuOns: Initialize, Set Protected Mode 3 
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BUS INTERFACE UNIT 


EXPONENT FRACTION 
BUS BUS . 


EXPONENT 4 } PROGRAMMABLE 
MODULE SHIFTER 


CONTROL WORD 
STATUS WORD 


INTERFACE 


| 16 
NEU INSTRUCTION MICROCODE ARITHMETIC 
: . CONTROL MODULE 
| UNIT : : 
DATA 68 ‘ 
BUFFER \ 
OPERANDS ee 
: QUEUE 64 


| 
| 
| 
| 


TEMPORARY 
REGISTERS 


CONTROL 
UNIT 
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Figure 1-2. 80287 NPX Block Diagram 


The BIU handles all of the status and signal lines between the 80287 and the 80286. The NEU executes 
all instructions that involve the register stack. These instructions include arithmetic, logical, transcen- 
dental, constant, and data transfer instructions. The data path in the NEU is 84 bits wide (68 fraction 
bits, 15 exponent bits, and a sign bit), allowing internal operand transfers to be performed at very high 
speeds. 


The 80287 executes a single numeric instruction at a time. Before executing most ESC instructions, 
the 80286 tests the BUSY pin and, before initiating the command, waits until the 80287 indicates that 
it is not busy. Once initiated, the 80286 continues program execution, while the 80287 executes the 
numeric instruction. Unlike iAPX 86/20 systems, which required a WAIT instruction to test the BUSY 
signal before each ESC opcode, these WAIT instructions are permissible, but not necessary, in iAPX 
286/20 programs. | | 7 


In all cases, a WAIT or ESC instruction should be inserted after any 80287 store to memory (except 
FSTSW or FSTCW) or load from memory (except FLDENV, FLDCW, or FRSTOR) before the 80286 
reads or changes the memory value. | 


When needed, all data transfers between memory and the 80287 NPX are performed by the 80286 
CPU, using its Processor Extension Data Channel. Numeric data transfers performed by the 80286 
use the same timing as any other bus cycle, and all such transfers come under the supervision of the 
iAPX 286 memory management and protection mechanisms. The 80286 Processor Extension Data 
Channel and the hardware interface between the 80286 and 80287 processors are described in Chapter 
Six of the iAPX 286 Hardware Reference Manual. 


From the programmer’s perspective, the 80287 can be considered just an extension of the 80286 | 


processor. All interaction between the 80286 and the 80287 processors on the hardware level is handled 
automatically by the 80286 and is transparent to the software. 
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To communicate with the 80287, the 80286 uses the reserved I/O port addresses OOF8H, OOFAH, and 
0OOFCH (I/O ports numbered OOF8H through OOFFH are reserved for the 80286/80287 interface). 
These I/O operations are performed automatically by the 80286 and are distinct from I/O operations 
that result from program I/O instructions. I/O operations resulting from the execution of ESC instruc- 
tions are completely transparent to software. Any program may execute ESCAPE (numeric) instruc- 
tions, without regard to its current I/O Privilege Level (IOPL). 


To guarantee correct operation of the 80287, iAPX 286 programs must not perform any explicit I/O 
operations to any of the eight ports reserved for the 80287. The IOPL of the iAPX 286 can be used to 
protect the integrity of 80287 computations in multiuser reprogrammable applications, preventing any 
accidental or other tampering with the 80287 (see Chapter Eight of the iAPX 286 Operating pan 
Writer’s Guide). 


80287 NUMERIC PROCESSOR ARCHITECTURE 


To the programmer, the 80287 NPX appears as a set of additional registers complementing those of 
the 80286. These additional registers consist of 


e Eight individually-addressable 80-bit numeric registers, organized as a register stack 


e Three sixteen-bit registers containing: 
an NPX status word 
an NPX control word 
a tag word — 


e« Four 16-bit registers containing the NPX instruction and data pointers 


All of the NPX numeric instructions focus on the contents of these NPX registers. 


The NPX Register Stack 


The 80287 register stack is shown in figure 1-3. Each of the eight numeric registers in the 80287 S 
register stack is 80 ee wide and is divided into fields corresponding to the NPX’s Ta? lc data 
type. | | 


- Numeric instructions address the data registers relative to the register on the top of the stack. At any 
point in time, this top-of-stack register is indicated by the ST (Stack Top) field:in the NPX status 
word. Load or push operations decrement ST by one and load a value into the new top register. A store- 
and-pop operation stores the value from the current ST register and then increments ST by one. Like 
80286 stacks in memory, the 80287 register stack grows down toward lower-addressed registers. 


Many numeric instructions have several addressing modes that permit the programmer to implicitly 
operate on the top of the stack, or to explicitly operate on specific registers relative to the ST. The 
ASM286 Assembler supports these register addressing modes, using the expression ST(0), or simply 
ST, to represent the current Stack Top and ST(i) to specify the ith register from ST in the stack (0 = 
i < 7). For example, if ST contains 011B (register 3 is the top of the stack), the following statement 
would add the contents of the tops two registers on the stack (registers 3 and oe 


FADD oe ee ( 2) 
The stack organization and top-relative addressing of the numeric registers simplify subroutine 


programming by allowing routines to-_pass parameters on the register stack. By using the stack to pass 
parameters rather than using “dedicated” registers, calling routines gain more flexibility in how they 
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80287 STACK: TAG FIELD 
78 64 63 0 1 0 


EXPONENT SIGNIFICAND 


CONTROL REGISTER 
STATUS REGISTER 
TAG WORD 


INSTRUCTION POINTER 


DATA POINTER 


122164-3 


Figure 1-3. 80287 Register Set | 


use the stack. As long as the stack is not full, each routine simply loads the parameters onto the stack 
before calling a particular subroutine to perform a numeric calculation. The subroutine then addresses 
its parameters as ST, ST(1), etc., even though ST may, for example, refer to physical register 3 in one 
invocation and physical register 5 in another. 


The NPX Status Word 


The 16-bit status word shown in figure 1-4 reflects the overall state of the 80287. This status word may 
be stored into memory using the FSTSW/FNSTSW, FSTENV/FNSTENYV, and FSAVE/FNSAVE 
instructions, and can be transferred into the 80286 AX register with the FSTSW AX/FNSTSW AX 
instructions, allowing the NPX status to be inspected by the CPU. 


The Busy bit (bit 15).and the BUSY pin indicate whether the 80287’s execution unit is idle (B=0O) or 
is executing a numeric instruction or signalling an exception (B=1). (The instructions FNSTSW, 
FNSTSW AX, FNSTENV, and FNSAVE do not set the Busy bit themselves, nor do they require the 
Busy bit to be clear in order to execute.) 


The four NPX condition code bits (Cy-C;) are similar to the flags in a CPU: the 80287 updates these 
bits to reflect the outcome of arithmetic operations. The effect of these instructions on the condition 
code bits is summarized in table 1-4. These condition code bits are used principally for conditional 
branching. The FSTSWAX instruction stores the NPX status word directly into the CPU AX register, 
allowing these condition codes to be inspected efficiently by 80286 code. 


Bits 12-14 of the status word point to the 80287 register that is the current Stack Top (ST). The 
significance of the stack top has been described in the section on the Register Stack. 
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15 0 
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EXCEPTION FLAGS (1 = EXCEPTION HAS OCCURRED) 
| INVALID OPERATION* 
DENORMALIZED OPERAND* 
ZERO DIVIDE* | 
OVERFLOW’. 
Ns UNDERFLOW* . 
— PRECISION* 
: (RESERVED) 
ERROR SUMMARY STATUS(1) , 
aE CONDITION CODE(2) | | | 


STACK TOP POINTER() 
NEU BUSY 
(1) ES IS SET IF ANY UNMASKED EXCEPTION BIT IS SET, CLEARED OTHERWISE. 
(2) SEE TABLE 1-4 FOR CONDITION CODE INTERPRETATION. 
(3) ST VALUES 
000 = REGISTER 0 IS TOP OF STACK 
001 = REGISTER 11S TOP OF STACK 


111 = REGISTER 7 IS TOP OF STACK 


‘FOR DEFINITIONS, SEE THE SECTION ON EXCEPTION HANDLING . 
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Figure 1-4. 80287 Status Word 


Table 1-4.. Interpreting the NPX Condition Codes 


Instruction 
Type 


Compare, Test , ST > Source or 0 (FTST) 
| ST < Source or 0 (FTST) 
ST = Source or 0 (FTST) 

ST is not comparable 


Remainder Complete reduction with three 
low bits of quotient in Co, Cs, 
and C, 
U U Incomplete Reduction 
Examine 0 0 0 Valid, positive unnormalized. 
0 0. 1 Invalid, positive, exponent = 0. 
0 0 0 Valid, negative, unnormalized 
0 8) 1 Invalid, negative, exponent = 0 
0 1 0 Valid, positive, normalized | 
0 1 1 Infinity, positive 
0 1 0 Valid, negative, normalized 
0 1 1 | Infinity, negative 
1 0 0 Zero, positive 
1 0 1 Empty Register 
1 0. 0 - Zero, negative 
1 0. 1 Empty Register  —_— 
1 le 0 Invalid, positive, exponent = 0 
1 1 1 ‘Empty Register 
1 1 0 Invalid, negative, exponent = 0 
1 1 1 Empty Register 
NOTES: | | 
1. ST = Top of stack > - 3. U = value is undefined following instruction 
2. X = value is not affected by instruction 4. Q, = Quotient bit n following complete reduction (C.=0) 
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Figure 1-4 shows the six error flags in bits 0-5 of the status word. Bit 7 is the error summary status 
(ES) bit. ES is set if any unmasked exception bits are set, and is cleared otherwise. If this bit is set, 
the ERROR signal is asserted. Bits 0-5 indicate whether the NPX has detected one of six possinle 
exception conditions since these status bits were last cleared or reset. 


Control Word 


The NPX provides the programmer with several processing options, which are selected by loading a 
word from memory into the control word. Figure 1-5 shows the format and encoding of the fields in 
the control word. 


The low-order byte of this control word configures the 80287 error and exception masking. Bits 0-5 of 
the control word contain individual masks for each of the six exception conditions recognized ‘by the 
80287. The high-order byte of the control word configures the 80287 processing options, including 


e Precision control 
¢ Rounding control 


e Infinity control 


The Precision control bits (bits 8-9) can be used to set the 80287 internal operating precision at less 
than the default precision (64-bit significand). These control bits can be used to provide compatibility 
with the earlier-generation arithmetic processors having less precision than the 80287, as required by 
the IEEE 754 standard. Setting a lower precision, however, will not affect the execution time of numeric 
calculations. 


15 0 
xxx fic re] po | x] x femfumfon| zion] in 


7 EXCEPTION MASKS (1=EXCEPTION IS MASKED) 
INVALID OPERATION 
DENORMALIZED OPERAND 
ZERO DIVIDE 
| OVERFLOW | 
UNDERFLOW 
PRECISION 
(RESERVED) 
(RESERVED) 
| PRECISION CONTROL |") en 
ROUNDING CONTROL? 


INFINITY CONTROL (0 = PROJECTIVE, 1 = AFFINE) 
(RESERVED) 


(1) PRECISION CONTROL (2) ROUNDING CONTROL 
00 = 24-BIT SIGNIFICAND 00 = ROUND TO NEAREST OR EVEN 
01 = RESERVED 01 = ROUND DOWN (TOWARD —co) 
10 = 53-BIT SIGNIFICAND 10 = ROUND UP (TOWARD + co) 
11 = 64-BIT SIGNIFICAND 11 = CHOP (TRUNCATE TOWARD ZERO) 
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Figure 1-5. 80287 Control Word Format 
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The rounding control bits (bits 10-11) provide for directed rounding and true chop as wen as the unbiased 
pounds to-nearest-even mode speeiieds in the. ee 754 standard. : 


The cannity eel bit (bit 12) dietemainies ‘hes manner in which the 80287 treats the special values of 
infinity. Either affine closure (where positive infinity is distinct from negative infinity) or projective 
closure (infinity is treated as a single unsigned quantity) may be specified. These two alternative views 
of infinity are discussed in the section on Computation Fundamentals. 


The NPX Tag Word 


The tag.word indicates the contents of each register in the register stack, as shown in figure 1-6. The 
tag word is used by the NPX itself in order to track its numeric registers and optimize performance. 
Programmers may use this tag information to interpret the contents of the numeric registers. The tag 
-values are stored in the tag word corresponding to the physical registers 0-7. Programmers must use 
the current Stack Top (ST) pointer stored in the NPX status word to associate these tag values with 
the relative stack registers ST(0) through ST(7). : 


The NPX Instruction and Data Pointers 


The NPX instruction and data registers provide support for programmed exception-handlers, Whenever 
the 80287 executes a math instruction, the NPX internally saves the instruction address, the operand 
address (if present), and the instruction opcode. The 80287 FSTENV and FSAVE instructions store 
this data into memory, allowing exception handlers to determine the precise nature of any numeric 
exceptions that may be encountered. 


When stored in memory, the instruction and data pointers appear in one of two formats, depending on 
the operating mode of the 80287. Figure 1-7 shows these pointers as they are stored following an 
FSTENYV instruction. In Real-Address mode, these values are the 20-bit physical address and 11-bit 
opcode formatted like the 8087. In Protected mode, these values are the 32-bit virtual addresses used 
by the program that executed the ESC instruction. 


The instruction address saved in the 80287 will point to any prefixes that preceded the instruction. 
This is different from the 8087, for which the instruction address pointed only to the ESC instruction 
opcode. 


TAG VALUES: 

00 = VALID 

01 = ZERO 

19 = INVALID OR INFINITY 
11 = EMPTY 
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Figure 1-6. 80287 Tag Word Format 
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MEMORY MEMORY 
OFFSET _ OFFSET 


CONTROL WORD +0 CONTROL WORD 
STATUS WORD +2 STATUS WORD 


TAG WORD +4 TAG WORD 
INSTRUCTION POINTER (15-0) +6 IP OFFSET 


INSTRUCTION INSTRUCTION | 
POINTER (19-16) OPCODE (10-0) | * CS SELECTOR 
DATA POINTER (15-0) +10 DATA OPERAND OFFSET 
DATA POINTER | 
(19-16) DATA OPERAND SELECTOR 


12 11 


REAL MODE | PROTECTED MODE 
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Figure 1-7. 80287 Instruction and Data Pointer Image in Memory 


COMPUTATION FUNDAMENTALS 


This section covers 80287 programming concepts that are common to all applications. It describes the 
80287’s internal number system and the various types of numbers that can be employed in NPX 
programs. The most commonly used options for rounding, precision, and infinity (selected by fields in 
the control word) are described, with exhaustive coverage of less frequently used facilities deferred to 
later sections. Exception conditions that may arise during execution of NPX instructions are also 
described along with the options that are available for responding to these exceptions. 


Number System 


‘The system of real numbers that people use for pencil and paper calculations is conceptually infinite 
and continuous. There is no upper or lower limit to the magnitude of the numbers one can employ in a 
calculation, or to the precision (number of significant digits) that the numbers can represent. When 
considering any real number, there is always an infinity of numbers both larger and smaller. There is 
also an infinity of numbers between (i.e., with more significant digits than) any two real numbers. For 
example, between 2.5 and 2.6 are 2.51, 2.5897, 2.500001, etc. 


While ideally it would be desirable for a computer to be able to operate on the entire real number 
system, in practice this is not possible. Computers, no matter how large, ultimately have fixed-size 
registers and memories that limit the system of numbers that can be accommodated. These limitations 
determine both the range and the precision of numbers. The result is a set of numbers that is finite 
and discrete, rather than infinite and continuous. This sequence is a subset of the real numbers that is 
designed to form a useful approximation of the real number system. 
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Figure 1-8 superimposes the basic 80287 real number system on a real number line (decimal numbers 
are shown for clarity, although the 80287 actually represents numbers in binary). The dots indicate the 
subset of real numbers the 80287 can represent. as data and final results of calculations. The 80287’s 
range is approximately +4.19X10°" to +1.67X10°%. Applications that are required to deal with 
data and final results outside this range are rare. For reference, the range of the IBM 370 is about 
£05410" to £0.72X 10". 7 


The finite spacing in figure 1-8 illustrates that the NPX can represent a great many, but not all, of the 
real numbers in its range. There is always a gap between two adjacent 80287 numbers, and it is possible 
for the result of'a calculation to fall in this space. When this occurs, the NPX rounds the true result 
to a number that it can represent. Thus, a real number that requires more digits than the 80287 can 
accommodate (e.g., a 20-digit number) is represented with some loss of accuracy. Notice also that the 
80287’s representable numbers are not distributed evenly along the real number line. In fact, an equal 
number of representable numbers exists between successive powers of 2 (i.e., as many representable 
numbers exist between 2 and 4 as between 65,536 and 131,072). Therefore, the gaps between repre- 
sentable numbers are larger as the numbers increase in magnitude. All integers in the range ery 
(approximately am 10"), however, are exactly representable. 


In its internal operations, the 80287 pecially employs a number system that is a substantial superset of 
that shown in figure 1-8. The internal format (called temporary real) extends the 80287’s range to 
about +3.4X10 to +1.2*10**, and its precision to about 19 (equivalent decimal) digits. This 
format is designed to provide extra range and precision for constants and intermediate results, and is 
not normally intended for data or final results. 


NEGATIVE RANGE | POSITIVE RANGE 
(NORMALIZED) (NORMALIZED) 


-1.67x10308 ~—4.19x 107307 ; 4.19x10-307 - 1.67x10308 . 


2.00000000000000000 

(NOT REPRESENTABLE) 

1.99999999999999999 
"PRECISION: e— 18 DIGITS —>| 
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Figure 1-8. 80287 Number System 
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From a practical standpoint, the 80287’s set of real numbers is sufficiently large and dense so as not 
to limit the vast majority of microprocessor applications. Compared to most computers, including 
mainframes, the NPX provides a very good approximation of the real number system. It is important 
to remember, however, that it is not an exact representation, and that arithmetic on real numbers is 
inherently approximate. 


Conversely, and equally important, the 80287 does perform exact arithmetic on integer operands. That 
is, an Operation on two integers returns an exact integral result, provided that the true result is an 
integer and is in range. For example, 4+2 yields an exact integer, 1+3 does not, and 2*° X 2% + 1 
does not, because the result requires greater than 64 bits of precision. 


Data Types and Formats 


The 80287 recognizes seven numeric data types, divided into three classes: binary integers, packed 
decimal integers, and binary reals. A later section describes how these formats are stored in memory 
(the sign is always located in the highest-addressed byte). Figure 1-9 summarizes the format of each 
data type. In the figure, the most significant digits of all numbers (and fields within numbers) are the 
leftmost digits. Table 1-5 provides the range and number of signficant (decimal) digits that each format 
can accommodate. 


BINARY INTEGERS 


The three binary integer formats are identical except for length, which governs the range that can be 
accommodated in each format. The leftmost bit is interpreted as the number’s sign: 0= positive and 
1=negative. Negative numbers are represented in standard two’s complement notation (the binary 
integers are the only 80287 format to use two’s complement). The quantity zero is represented with a 
positive sign (all bits are 0). The 80287 word integer format is identical to the 16-bit signed integer 
data type of the 80286. 


DECIMAL INTEGERS 


Decimal integers are stored in packed decimal notation, with two decimal digits “packed” into each 
byte, except the leftmost byte, which carries the sign bit (O=positive, | =negative). Negative numbers 
are not stored in two’s complement form and are distinguished from positive numbers only by the 
sign bit. The most significant digit of the number is the leftmost digit. All digits must be in the range 
OH-9H. 


REAL NUMBERS 


The 80287 stores real numbers in a three-field binary format that resembles scientific, or exponential, 
notation. The number’s significant digits are held in the significand field, the exponent field locates 
the binary point within the significant digits (and therefore determines the number’s magnitude), and 
the sign field indicates whether the number is positive or negative. (The exponent and significand are 
analogous to the terms “characteristic” and “mantissa” used to describe floating point numbers on 
some computers.) Negative numbers differ from postive numbers only in the sign bits of their 
significands. 
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~<=——-_ INCREASING SIGNIFICANCE 


(TWO'S 
WORD INTEGER s MAGNITUDE COMPLEMENT) 


15 0 


| (TWO'S 
SHORT INTEGER s MAGNITUDE COMPLEMENT) 


31 0 


(TWO’'S 
LONG INTEGER s MAGNITUDE COMPLEMENT) 


PACKED DECIMAL MO SRLURE 


BIASED 
SHORT REAL s| EXPONENT SIGNIFICAND 


31 2k . 0 


LONG REAL 


TEMPORARY REAL s 
79 


NOTES: 
bs) Sign bit (0 =- positive, 1 - negative) 

Decimal! digit (two per byte) 

Bits have no significance; 80287 ignores when loading, zeros when storing. 

Position of implicit binary point 

Integer bit of significand: stored in temporary real, implicit (always 1) in short and long real 
Exponent Bias (normalized values): a 


Short Real: 127 (7FH) 
Long Real: 1023 (3FFH) 
Temporary Real: 16383 (3FFFH) 
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Figure 1-9. Data Formats 


Table 1-5 shows how the real number 178.125 (decimal) is stored in the 80287 short real format. The 
table lists a progression of equivalent notations that express the same value to show how a number can 
be converted from one form to another. The ASM286 and PL/M-286 language translators perform’a 
similar process when they encounter programmer-defined real number constants. Note that not every 
decimal fraction has an exact binary equivalent. The decimal number 1/10, for example, cannot be 
_ expressed exactly in binary (just as the number 1/3 cannot be expressed exactly in decimal). When a 
translator encounters such a value, it produces a rounded binary approximation of the decimal value. 
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Table 1-5. Real Number Notation 


a 


Scientific Binary 
(Biased Exponent) 140110010001E10000110 | 


| sign | Biased Exponent Significand 


10000110 p01 10010001000000000000 
1, (implicit) es 


The NPX usually carries the digits of the significand in normalized form. This means that, except for 
the value zero, the significand is an integer and a fraction as follows: , 


80287 Short Real 
(Normalized) 


Lafff...ff 


where A indicates an assumed binary point. The number of fraction bits varies according to the real 
format: 23 for short, 52 for long, and 63 for temporary real. By normalizing real numbers so that their 
integer bit is always a 1, the 80287 eliminates leading zeros in small values (Xl < 1). This technique 
maximizes the number of significant digits that can be accommodated in a significand of a given width. 
Note that, in the short and long real formats, the integer bit is implicit and is not actually stored; the 
integer bit is physically present in the temporary real format only. 


If one were to examine only the signficand with its assumed binary point, all normalized real numbers 
would have values between | and 2. The exponent field locates the actual binary point in the significant 
digits. Just as in decimal scientific notation, a positive exponent has the effect of moving the binary 
point to the right, and a negative exponent effectively moves the binary point to the left, inserting 
leading zeros as necessary. An unbiased exponent of zero indicates that the position of the assumed 
binary point is also the position of the actual binary point. The exponent field, then, determines a real 
number’s magnitude. 


In order to simplify comparing real numbers (e.g., for sorting), the 80287 stores exponents in a biased 
form. This means that a constant is added to the true exponent described above. The value of this bias 
is different for each real format (see figure 1-9). It has been chosen so as to force the biased exponent 
to be a positive value. This allows two real numbers (of the same format and sign) to be compared as 
if they are unsigned binary integers. That is, when comparing them bitwise from left to right (begin- 
ning with the leftmost exponent bit), the first bit position that differs orders the numbers; there is no 
need to proceed further with the comparison. A number’s true exponent can be determined simply by 
subtracting the bias value of its format. 


The short and long real formats exist in memory only. If a number in one of these formats is loaded 
into an 80287 register, it is automatically converted to temporary real, the format used for all internal 
operations. Likewise, data in registers can be converted to short or long real for storage in memory. 
The temporary real format may be used in memory also, typically to store intermediate results that 
cannot be held in registers. 
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Most applications should use the long real form to store real number data and results; it provides 
sufficient range and precision to return correct results with a minimum of programmer attention. The 
short real format is appropriate for applications that are constrained by memory, but it should be 
recognized that this format provides a smaller margin of safety. It is also useful for debugging algorithms, 
because roundoff problems will manifest themselves more quickly in this format. The temporary real 
format should normally be reserved for holding intermediate results, loop accumulations, and constants. 
Its extra length is designed to shield final results from the effects of rounding and overflow/underflow 
in intermediate calculations. However, the range and precision of the long real form are adequate for 
most microcomputer applications. 


Rounding Control 


Internally, the 80287 employs three extra bits (guard, round, and sticky bits) that enable it to represent 
the infinitely precise true result of a computation; these bits are not accessible to programmers, Whenever 
the destination can represent the infinitely precise true result, the 80287 delivers it. Rounding occurs 
in arithmetic and store operations when the format of the destination cannot exactly represent the 
infinitely precise true result. For example, a real number may be rounded if it is stored in a shorter 
real format, or in an integer format. Or, the infinitely precise true result may be rounded when it is 
returned to a register. 3 


The NPX has four rounding modes, selectable by the RC field in the control word (see figure 1-5). 
Given a true result b that cannot be represented by the target data type, the 80287 determines the two 
representable numbers a and c that most closely bracket b in value (a < b < c). The processor then 
rounds (changes) b to a or to c according to the mode selected by the RC field as shown in table 1-6. 
Round introduces an error in a result that is less than one unit in the last place to which the result is 
rounded. “Round to nearest” is the default mode and is suitable for most applications; it provides the 
most accurate and statistically unbiased estimate us the true result. The chop mode is provided for 
integer arithmetic applications. | 


“Round up” and “‘round down” are termed directed rounding and can be used to implement interval 
arithmetic. Interval arithmetic generates a certifiable result independent of the occurrence of rounding 
and other errors. The upper and lower bounds of an interval may be pomputee by executing an algorithm 
twice, rounding uP in one pass and down 1 in the other. 


Precision Control . 


The 80287 allows results to be calculated with either 64, 53, or 24 bits of precision in the significand . 
as selected by the precision control (PC) field of the control word. The default setting, and the one 
that is best suited for most applications, is the full 64 bits of significance provided by the temporary- 


Table 1-6. Rounding Modes 


RC Field ~ Rounding Mode Rounding Action | 


Round to nearest Closer to b of a or c; if equally close, 
ed select even number (the one whose 
least significant bit is zero). , 


Round down (toward — oo) a 
Round up (toward +00) 16 


| Chop (toward 0) 7 Smaller in magnitude of a orc 


NOTE: a< b< Cc; aand Care representable, b is not. 
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real format. The other settings are required by the proposed IEEE standard, and are provided to obtain 
compatibility with the specifications of certain existing programming languages. Specifying less preci- 
sion nullifies the advantages of the temporary real format’s extended fraction length, and does not 
increase execution speed. When reduced precision is specified, the rounding of the fractional value 
clears the unused bits on the right to zeros. 


Infinity Control 


The 80287’s system of real numbers may be closed by either of two models of infinity. These two means 
of closing the number system, projective and affine closure, are illustrated schematically in figure 
1-10. The setting of the IC field in the control word selects one model or the other. The default means 
of closure is projective, and this is recommended for most computations. When projective closure is 
selected, the NPX treats the special values +oo and —oo as a single unsigned infinity (similar to its 
treatment of signed zeros). In the affine mode the NPX respects the signs of +oo and —oo. 


While affine mode may provide more information than projective, there are occasions when the sign 
may in fact represent misinformation. For example, consider an algorithm that yields an intermediate 
result x of +O and —O (the same numeric value) in different executions. If 1/x were then computed 
in affine mode, two entirely different values (++co and —oo) would result from numerically identical 
values of x. Projective mode, on the other hand, provides less information but never returns misinfor- 
mation. In general, then, projective mode should be used globally, with affine mode reserved for local 
computations where the programmer can take advantage of the sign and knows for certain that the 
nature of the computations will not produce a misleading result. 


SPECIAL COMPUTATIONAL SITUATIONS 


Besides being able to represent positive and negative numbers, the 80287 data formats may be used to 
describe other entities. These special values provide extra flexibility, but most users will not need to 
understand them in order to use the 80287 successfully. This section describes the special values that 
may occur in certain cases and the significance of each. The 80286 exceptions are also described, for 
writers of exception handlers and for those interested in probing the limits of computation using the 
80287. | | | 


The material presented in this section is mainly of interest to programmers concerned with writing 
exception handlers. For many readers, this section can be browsed lightly. 


0 
PROJECTIVE CLOSURE 
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Special Numeric Values 


The 80287 data formats encompass encodings for a variety of special values in addition to the typical 
real or integer data values that result from normal calculations. These special values have significance 
and can express relevant information about the computations or operations that produced them. The 
various types of special values are 


¢ Non-normal real numbers, including 
denormals 
unnormals 


¢ Zeros and pseudo zeros 
e Positive and negative infinity 
e NaN (Not-a-Number) 


e Indefinite 


The following description explains the origins and significance of each of these special values. Tables 
1-12 through. 1-15 at the end of this section show how each of these special values is encoded for each 
of the numeric data types. , 


NONNORMAL REAL NUMBERS — 


As described previously, the 80287 generally stores nonzero real numbers in normalized floating-point 
form; that is, the integer (leading) bit of the significand is always a 1. This bit is explicitly stored in 
the temporary real format, and is implicitly assumed to be a one (1A) in the short- and long-real formats. 
Since leading zeros are eliminated, normalized storage allows the maximum number of significant 
digits to be held in a significand of a given width. 


When a floating-point numeric value becomes very close to zero, normalized storage cannot be used to 
express the value accurately. To accommodate these instances, the 80287 can store and operate on 
reals that are not normalized, i.e., whose significands contain one or more leading zeros. Nonnormals 
typically arise when the result of a calculation yields a value that is too small to be represented in 
normal form. 


Nonnormal values can exist in one of two forms: 


¢ The floating-point exponent may be stored at its most negative value (a Denormal), 


e The integer bit (and perhaps other leading bits) of the significand may be zero (an Unnormal). 


The leading zeros of nonnormals permit smaller numbers to be represented, at the cost of some lost 
precision (the number of significant bits is reduced by the leading zeros). In typical algorithms, extremely 
small values are most likely to be generated as intermediate, rather than final results. By using the 
NPX’s temporary real format for holding intermediate, values as small as +3.4X10%* can be repre- 
sented; this makes the occurrence of nonnormal numbers a rare phenomenon in 80287 applications. 
Nevertheless, the NPX can load, store, and operate on nonnormalized real numbers when they do 
occur. 


Denormals and Gradual Underflow 
A denormal is the result of the NPX’s response to an underflow exception when that exception has 


been masked by the programmer (see the 80287 control word, figure 1-5). Underflow occurs when the 
absolute value of a real number becomes too small to be represented in the destination format, that is, 
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when the exponent of the true result is too negative to be represented in the destination format. For 
example, a true exponent of — 130 will cause underflow if the destination is short real, because — 126 
is the smallest exponent this format can accommodate. No underflow would occur if the destination 
were long real or temporary real, since these formats can handle exponents down to — 1023 and — 16,383, 
respectively. 


Most computers underflow “abruptly:” they simply return a zero result, which is likely to produce an 
unacceptable final result if computation continues. The 80287, on the other hand, underflows “gradu- 
ally” when the underflow exception is masked. Gradual underflow is accomplished by denormalizing 
the result until it is just within the exponent range of the destination format. Denormalizing means 
incrementing the true result’s exponent and inserting a corresponding leading zero in the significand, 
shifting the rest of the significand one place to the right. Denormal values may occur in any of the. 
short-real, long-real, or temporary-real formats. Table 1-7 illustrates how a result might be denormal- 
ized to fit a short-real destination. 


The intent of the 80287’s masked response to underflow is to allow computation to continue without 
program intervention, while introducing an error that carries about the same risk of contaminating the 
final result as roundoff error. Roundoff (precision) errors occur frequently in real number calculations; 
sometimes they spoil the result of computation, but often they do not. Recognizing that roundoff errors 
are often nonfatal, computation usually proceeds, and the programmer inspects the final results to see 
if these errors have had a significant effect. The 80287’s masked underflow response allows program- 
mers to treat underflows in a similar manner; the computation continues and the programmer can 
examine the final result to determine if an underflow has had important consequences. (If the 
underflow has had a significant effect, an invalid operation will probably be signalled later in the 
computation.) 


Denormalization produces a denormal or a zero. Denormals are readily identified by their exponents, 
which are always the minimum for their formats; in biased form, this is always the bit string: 00...00. 
This same exponent value is also assigned to the zeros, but a denormal has a nonzero significand. A. 
denormal in a register is tagged special. Tables 1-14 and 1-15 later in this chapter show how denormal 
values are encoded in each of the real data formats. | 


The denormalization process may cause the loss of low-order significand bits as they are shifted off the 

right. In a severe case, all the significand bits of the true result are shifted out and replaced by the 

leading zeros. In this case, the result of denormalization is a true zero, and if the value is in a register, 

it is tagged as such. However, this is a comparatively rare occurrence and, in any case, is no worse than 
“abrupt” underflow. 


Table 1-7. Denormalization Process 


True Result | 1401011100...00 
Denormalize 0A 101011100...00 


Denormalize 3 : 040101011100...00 
Denormalize | 0,00101011100...00 
Denormal Result? | ~~ 0,400101011100...00 


NOTES: — 
“) Expressed as unbiased, decimal number. 


°) Before storing, significand is rounded to 24 bits, integer bit is dropped, and exponent is biased by adding 
126. 
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Denormals are rarely encountered in most applications. Typical debugged algorithms generate extremely 
small results during the evaluation of intermediate subexpressions; the final result is usually of an 
appropriate magnitude for its short or long real destination. If intermediate results are held in tempo- 
rary real, as is recommended, the great range of this format makes underflow very unlikely. Denormals 
are likely to arise only when an application generates a great many intermediates, so many that they 
cannot be held on the register stack or in temporary real memory variables. If storage limitations force 
the use of short or long reals for intermediates, and small values are Proguced underflow may ¢ occur, 

and, if masked, may poner denormals. : 


Accessing a defioniial may produce an exception as shauae in isle 1-8. (The denormalized dentin 
signals that a denormal has been fetched.) Denormals may have reduced significance due to lost low- 
order bits, and an option of the proposed JEEE. standard precludes operations on nonnormalized 
operands. This option may be implemented in the form of an exception handler that responds to 
unmasked denormalized exceptions. Most users will mask this exception so that computation may 
proceee: any loss of accuracy will be analyzed by the user r when the final result i is delivered. 


AS table 1-8 slaves the division and remainder operations do not accept denormal! divisors and raise 
the invalid operation exception. Recall also that the transcendental instructions require normalized 
operands and do not check for exceptions. In all other cases, the NPX converts denormals to unnor- 
mals, and the rules BOvenuns: unnormal ae then apply (unnormals are described in the follow- 
ing seeuon)> : 


Unnormals—Descendents of Denormal Operands 


An unnormal is the result of a computation using denormal operands and is therefore the descendent 
of the 80287’s masked underflow response. An unnormal may exist only in the temporary real format; 
it may have any exponent that a normal value may have (that is, in biased form any nonzero value), 
but it is distinguished from a normal by the integer bit of its significand, which is always 0. An unnor- 
mal in a register is tagged valid. Unnormals are distinct from denormals, which have an exponent of 
00...00 in biased form. | 


Unnormals allows arithmetic to continue following an underflow while still retaining their identity as 
numbers that may have reduced significance. That is, unnormal operands generate unnormal results, 
so long as their unnormality has a significant effect on the result. Unnormals are thus prevented from 
“masquerading” as normals, numbers that have full significance. On the other hand, if an unnormal 
has an insignificant effect on a calculation with a normal, the result will be normal. For example, 

adding a small unnormal to a large normal yields a normal result. The converse situation yields an 
unnormal 3 


Table 1-8. Exceptions Due to Denormal Operands 


FLD (short/long real) Load as equivalent unnormal 


Arithmetic (except following) Convert (in a work area) denormal to equivalent 
: unnormal and proceed 


Compare and test | Convert (in a work area) denormal to equivalent 
unnormal and proceed 


Division or FPREM with Return real indefinite’ 
 denormal divisor | | 
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Table 1-9 shows how the instruction set deals with unnormal operands. Note that the unnormal may 
be the original operand or a temporary created by the 80287 from a denormal. 


ZEROS AND PSEUDO ZEROS 


The value zero in the real and decimal integer formats may be signed either positive or negative, 
although the sign of a binary integer zero is always positive. For computational purposes, the value of 
zero always behaves identically, regardless of sign, and typically the fact that a zero may be signed is 
transparent to the programmer. If necessary, the FKAM instruction may be used to determine a zero’s 
sign. 


The zeros discussed above are called true zeros; if one of them is loaded or generated in a register, the 
register is tagged zero. Table 1-10 lists the results of instructions executed with zero operands and also 
shows how a true zero may be created from nonzero operands. 


Only the temporary real format may contain a special class of values called pseudo zeros. A pseudo 
zero iS an unnormal whose significand is all zeros, but whose (biased) exponent is nonzero (true zeros 
have a zero exponent). Neither is a pseudo zero’s exponent all ones, since this encoding is reserved for 
infinities and NANs. A pseudo zero result will be produced if two unnormals, containing a total of 
more than 64 leading zero bits in their significands, are multiplied together. This is a remote possibility 
in most applications, but it can happen. 


Pseudo zero operands behave like unnormals, except in the following cases where they produce the 
same results as true zeros: 


e Compare and test instructions 
e FRNDINT (round to integer) 


e Division, where the dividend is either a true zero or a pseudo zero (the divisor is a pseudo zero) 


Table 1-9. Unnormal Operands and Results 


a 


Addition/subtraction Normalization of operand with larger abosolute 
value determines normalization of result. 


Multiplication If either operand is unnormal, result is unnormal. 

Division (unnormal dividend only) Result is unnormal. | 

FPREM (unnormal dividend only) Result if normalized. 

Division/FPREM (unnormal Signal invalid operation. 

divisor) 

Compare/FTST Normalize as much as possible before making 
comparison. 

FRNDINT Normalize as much as possible before rounding. 

FSQRT Signal invalid operation. 


FST, FSTP (short/long real If value is above destination’s underflow bound- 
destination) ary, then signal invalid operation; else signal 
underflow. 


FSTP (temporary real destination) Store as usual. 

FIST, FISTP, FBSTP oe Signal invalid operation. 
FLD Load as usual. 

FXCH : Exchange as usual. 


Transcendental instructions ~ Undefined; operands must be normal and are not 
checked. — 
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In addition and subtraction of a pseudo zero and a true zero or another pseudo zero, the pseudo zero(s) 
behaves like unnormals, except for the determination of the result’s sign. The sign is determined as 
shown in table 1-10 for two true zero operands. 


Table 1-10. Zero Operands and Results 


_ Operation/Operands St os Operation /Operands [ret 


FLD, FBLD” Division 


+0 =O 20 Invalid operation 

—0 EK 0 Zerodivide 
FILD@ 7 | FOS ER se OS eX EO > 

+O. : iQ se Se Oo EX =O: 

FST, FSTP Gb Fe SK Ye a Y +0: underflow®) 
+0 KAP SENG Kae ey — 0, underflow® 
—0O | : EG 
+ X(3) | FPREM Y oe. : 

— X‘) | | +O rem +0 > Invalid operation 
FBSTP | . : 7 +Xrem +0 © Invalid operation 
— +0 +Orem +X, +Orem:—X | +0 | 
1 aD) | —Qrem +X, —Orem:—X | —O © 
FIST, FISTP +X rem +yY, +X rem —Y | +0. 

“+O —X rem —Y, —Xrem +Y 
. #0 ae 2 ine 3 : 
+X FSQRT 

—xX® —0O 

+0 

Addition 
+0 plus +0 Compare 
—Q plus —0 | | Or EX. 
+0 plus —0, —0O plus +0 +O: 0 
—X plus +X, +X plus —X +0: —X 
+0 plus +X, +X plus +0 | 

7 FTST 

Subtraction +0 
+0 minus —0O +O wh FCHS 
—0O minus +0 , =O — +0 
+0 minus +0, —0O minus » *Q0) . —0 
+X minus +X, —X minus Oey: * FABS 
+Q minus +X, +X minus + TX® +0 

| F2XM1 

Multiplication | +0 
+0*«+0, —O+ —0 | +0 - —0 
+0+—0, —O++0 =0 FRNDINT 
+0°«+X, +Xe+0 +0 : +0 
+O° —X, —Xe+0 —0 —0 
—O* +X, +Xe—0 —0 -| FXTRACT coe. 

—O* —X, —Xe —0. | +0 +0 Both +0 
PKS NY eK eV +0, underflow” = 7 Both —0 
+tXe~Y,—Xe+yV - — 0, underflow” 7 i 


NOTES: 


Arithmetic and compare operations with real memory operands inferorat: the memory ene eins in 
the same way. ; 


®) Arithmetic and compare operations. with binary integers interpret the meee sign in the same manner. 
© Severe underflows in storing to short or long real may generate zeros. 
Small values (|XI <1) stored into integers may round to zero. 
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(8) sign is determined by round mode: 
+ for nearest, up, or chop 
— for down 


©) + = sign of X. 


”) Very small values of X and Y may yield zeros, after rounding of true result. NPX signals underflow to 
warn that zero has been yielded by nonzero operands. 


* 


‘®) Very small X and very large Y may yield zero, after rounding of true result. NPX signals underflow to. 
warn that zero has been yielded from nonzero operands. 


‘) When Y divides into X exactly. 


INFINITY 


The real formats support signed representations of infinities. These values are encoded with a biased 
exponent of all ones and a significand of 1,00...00; if the infinity is in a register, it is tagged special. 
The significand distinguishes infinities from NANs, including real indefinite. 


A programmer may code an infinity, or it may be created by the NPX as its masked response to an 
overflow or a zero divide exception. Note that when rounding is up or down, the masked response may 
create the largest valid value representable in the destination rather than infinity. See table 1-11 for 
details. As operands, infinities behave somewhat differently depending on how the infinity control field 
in the control word is set (see table 1-12). When the projective model of infinity is selected, the infini- 
ties behave as a single unsigned representation; because of this, infinity cannot be compared with any © 
value except infinity. In affine mode, the signs of the infinities are observed, and comparisons are 
possible. 


NaN (NOT A NUMBER) 


A NaN (Not a Number) is a member of a class of special values that exist in the real formats only. A 
NaN has an exponent of 11..11B, may have either sign, and may have any significand aE 1 00..00B, 
which is assigned to the infinities. A NaN in a register is tagged special. 


The 80287 will generate the special NaN, real indefinite, as its masked response to an invalid operation 
exception. This NaN is signed negative; its significand is encoded 1,4100..00. All other NaNs represent 
programmer-created values. 


Whenever the NPX uses an operand that is a NaN, it signals an invalid operation exception in its 
status word. If this exception is masked in the 80287 control word, the 80287’s masked exception 
response is to return the NaN as the operation result. If both operands of an instruction are NaNs, the 
result is the NaN with the larger absolute value. In this way, a NaN that enters a computation propa- 
gates through the computation and will eventually be delivered as the final result. Note, however, that 
the transcendental instructions do not check their operands, and a NaN will produce an undefined 
result. | 


By unmasking the invalid operation exception, the programmer can use NaNs to trap to the exception 
handler. The generality of this approach and the large number of NaN values that are available provide 
the sophisticated programmer with a tool that can be applied to a variety of special situations. 


For example, a compiler could use NaNs as references to uninitialized (real) array elements. The 
compiler could preinitialize each array element with a NaN whose significand contained the index 
(relative position) of the element. If an application program attempted to access an element that it had 
not initialized, it would use the NaN placed there by the compiler. If the invalid operation exception 
were unmasked, an interrupt would occur, and the exception handler would be invoked. The exception 
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handler could determine which element had been accessed, since the operand address field of the 
exception pointers would point to the NaN, and the NaN would contain the index number of the array 
element. , | : 


NaNs could also be used to speed up debugging. In its early testing phase, a program often contains 

multiple errors. An exception handler could be written to save diagnostic information in memory 
whenever it was invoked. After storing the diagnostic data, it could supply a NaN as the result of the - 
erroneous instruction, and that NaN could point to its associated diagnostic area in memory. The 
program would then continue, creating a different NaN for each error. When the program ended, the 
NaN results could be used to access the diagnostic data saved at the time the errors occurred. Many 
errors could thus be diagnosed and corrected in one test run. | 


Table 1-11. Masked Overflow Response with Directed Rounding 


- True Result 
a oa Rounding 


| Result Delivered 
aaa Mode | ) 
Normalization 


Normal | +09 
_ Normal | | Largest finite positive number” 
_ Norma! | ; Largest finite negative number” 
Normal | oe 
Unnormal 


Unnormal Largest exponent, result’s significand® 


Unnormal Largest exponent, result’s significand® 
Unnormal — oo | 


NOTES: 


“). The largest valid representable reals are encoded: 
exponent: 11...10B | 
significand: (1)A11...10B 


®) The significand retains its identity as an unnormal; the true result is rounded as usual (effectively chopped 
toward 0 in this case). The exponent is encoded 11...10B. 


Table 1-12. Infinity Operands and Results 


| | Projective Result Affine Result 


Addition 


+ co plus +oo. 
_ oo pluS —oo 
+ oo plus —oco 
—oo plus +co 
+coo plus +X 
+X plus +oo 


~ Subtraction 


+oo minus —co 
—oo minus +00 
+oo minus +0o 
—oco minus —co 
+oo minus +X 
+X minus +oco 


Invalid operation 
Invalid operation 
Invalid operation 
Invalid operation 


Invalid operation 
Invalid operation 
Invalid operation 
Invalid operation 


+00 


~ ™ OO 


Invalid operation 
Invalid operation 


+O 


=O 


Invalid operation 
Invalid operation 
*00 , < 
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Table 1-12. Infinity Operands and Results (Cont’d.) 


Multiplication 
eS ipl ae @ 6) 
tooe +Y 


+Q* +c, tco* +0 


Division 
OO =, Ae OO 
FOO eee KR 
a OO 


FSQRT 
—™ CO 
+00 

FPREM 
~toorem too 
+oorem +X 
+Y rem +co 
+0 rem +co 


FRNDINT 
OO 


FSCALE 
+ oo scaled by +00 
+oo scaled by +X 
+0 scaled by +co 
+Y scaled by: +00 


FXTRACT 
+00 | 


Compare 
Oo; <b Co 
t-Oor te ¥: 
Go: 0; 

FTST 


1a O.@ 


NOTES: 


X = zero or nonzero operand 


Y = nonzero operand 


* 


®@ 
@ 
Invalid operation 


Invalid operation 
® 
® 


Invalid operation 
Invalid operation 


Invalid operation 


Invalid operation — 


Invalid operation 
*0O 

*0 

Invalid operation 


Invalid operation 
A=B 
A ? B (and) invalid operation 


A ? B (and) invalid operation 


A ? B (and) invalid operation 


® 
® ‘ ' 
Invalid operation 


Invalid operation — 
® 
® 


Invalid operation 
iGo 


Invalid operation 
Invalid operation 
*V ‘ 

*0 


Invalid operation — 


* 


CO 
*0 | 
Invalid operation 


Invalid operation 


=.= FO 


—c <Y< +0 
—-c <0< +c 


= sign of original operand 
t = sign is complement of original operand’s sign 
@ 


= sign is ‘‘exclusive or’ original operand signs (+ if operands had same sign, — if operands had 
different signs) 


INDEFINITE 


For every 80287 numeric data type, one unique encoding is reserved for representing the special value 
indefinite. The 80287 produces this encoding as its response to a masked invalid-operation exception. 
In the case of reals, the indefinite value can be stored and loaded like any NaN, and it always retains 
its special identity; programmers are advised not to use this encoding for any other purpose. Packed 
decimal indefinite may be stored by the NPX in a FBSTP instruction; attempting to use this encoding 
in a FBLD instruction, however, will have an undefined result. In the binary integers, the same encod- 


4-27 122164-001 


bad ® 
intel OVERVIEW OF NUMERIC PROCESSING 


ing may represent either indefinite or the largest negative number supported by the format (— 2", 
—23', or —2°). The 80287 will store this encoding as its masked response to an invalid operation, or 
when the value in a source register represents or rounds to the largest negative integer representable 
by the destination. In situations where its origin may be ambiguous, the invalid operation exception 
flag can be examined to see if the value was produced by an exception response. When this encoding 
is loaded, or used by an integer arithmetic or compare operation, it is always interpreted as a negative 
number; thus indefinite cannot be loaded from a packed decimal or binary integer. 


_ ENCODING OF DATA TYPES 


Tables 1-13 through 1-16 show how each of the special values just described is encoded for each of the 
numeric data types. In these tables, the least-significant bits are shown to the right and are stored in 
the lowest. memory addresses. The sign bit is always the left-most bit of the highest-addressed byte. 


Table 1-13. Binary Integer Encodings 


(Largest) 


Positives 


(Smallest) 


_ (Smallest) 

® 

= 

0 

4 | 

z (Largest/Indefinite*) __ 

. Word: |~<—— 15 bits —_—_>| 

Short: "a Site 
pe |~<————- 63 bis ————>| 


NOTES: 


If this encoding is used as a source operand (as in an integer load or integer arithmetic instruction), the 
80287 interprets it as the largest negative number representable in the format: —2', —2°', or —2°°. The 
80287 will deliver this encoding to an integer destination in two cases: : 


1) If the result is the largest negative number 


2) As the response to a masked invalid operation exception, in which case it represents the special value 
integer indefinite. 
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_ Table 1-14. Packed Decimal Encodings 


Magnitude 
_ < 7k 35 Eee 


(Largest) 0000000 ;} 1001 1001 1001 


Positives 


(Smallest) 0000000 0000 0000 0000 


zero | 0 | 0000000 0000 0000 0000 0000 0000 


Fo 0000 0000 0000 0000 0000 


(Smallest) 0000000 ;0000 0000 0000 0000 


Negatives 


(Largest) 0000000 1001 1001 1001 10014 


Indefinite’ Mee 11717 411171 UUUUWU UUUDZU 


— byte —> |<_—__—_—_—___—_—__—— 9 bytes sacenecesneeensaeee 


NOTES: 


1. The packed decimal indefinite encoding is stored by FBSTP in response to a masked invalid operation 
exception. Attempting to load this value via FBLD produces an undefined result. 


2. UUUU means bit values are undefined and may contain any value. 
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Table 1-15. Real and Long Real Encodings 


Class Biased | Significand’ 
| | Exponent Aff... ff 


Normals — 


Positives 


Denormals 


Denormals 


Normals 


Short: |<«—— 8 bits ——» |< 23 bits ——_» | 
*Integer bit is implied and not stored. Long: |<—— 4 4 bits ——_—> |*———_ 52. bits ——_— 
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Table 1-16. Temporary Real Encodings 


Class Biased Significand’ 
Exponent la ff...ff 


pom | EL e 


11...10 Normals 
111...11 


eeeeeee# &®d 


” 
| @ 
> 
= 
” 
° 
a. 


0 


Denormals 
011...11 


Denormals 
000...01 


Unnormals 


000...00 


Negatives 


Normals 


100...00 
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Table 1-16. Temporary Real pce: coe: ) 


Biased ee 


Negatives 


|<«——— 15 bits ——> |<———. 64 bits ———>| 


Numeric Exceptions 

Whenever the 80287 NPX attempts a numeric operation with invalid operands or produces a result 
that cannot be represented, the 80287 recognizes a numeric exception condition. Altogether, the 80287 
checks for the following six classes of exceptions while executing numeric instructions: 


. Invalid operation 
. Divide-by-zero 


. Denormalized operand 


l 
2 
3 
4. Numeric overflow 
5. Numeric underflow 
6 


. Inexact result (precision) 


INVALID OPERATION 
The 80287 reports an invalid operation if any of the following occurs: 


e An attempt to load a register that is not empty (stack overflow). 
e An attempt to pop an operand from an empty register (stack underflow). 
e An operand is a NaN. 


e The Oeste cause the operation to be indeterminate (square root of a ea number, 0/0). 


An invalid Seon generally indicates a program error. 


ZERO DIVISOR 


If an instruction attempts to nae a finite nonzero operand by zero, the 80287 will report a zero ) divide 
exception. 
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DENORMALIZED OPERAND 


If an instruction attempts to operate on a denormal, the NPX reports the denormalized operand excep- 
tion. This exception allows users to implement in software an option of the proposed IEEE standard 
specifying that operands must be prenormalized before they are used. 


NUMERIC OVERFLOW AND UNDERFLOW 


If the exponent of a numeric result is too large for the destination real format, the 80287 signals a 
numeric overflow. Conversely, if the exponent of a result is too small to be represented in the destina- 
tion format, a numeric underflow is signaled. If either of these exceptions occur, the result of the 
operation is outside the range of the destination real format. 


Typical algorithms are most likely to produce extremely large and small numbers in the calculation of 
intermediate, rather than final, results. Because of the great range of the temporary real format 
(recommended as the destination format for intermediates), overflow and underflow are relatively rare 
events in most 80287 applications. 


INEXACT RESULT 


If the result of an operation is not exactly representable in the destination format, the 80287 rounds 
the number and reports the precision exception. For example, the fraction '/3 cannot be precisely repre- 
sented in binary form. This exception occurs frequently and indicates that some (generally acceptable) 
accuracy has been lost; it is provided for applications that need to perform exact arithmetic only. 


HANDLING NUMERIC ERRORS 
When numeric errors occur, the NPX takes one of two possible courses of action: 


¢ The NPX can itself handle the error, producing the most reasonable result and allowing numeric 
program execution to continue undisturbed. 


e A software exception handler can be invoked by the CPU to handle the error. 


Each of the six exception conditions described above has a corresponding flag bit in the 80287 status 
word and a mask bit in the 80287 control word. If an exception is masked (the corresponding mask bit 
in the control word = 1), the 80287 takes an appropriate default action and continues with the compu- 
tation. If the exception is unmasked (mask=0), the 80287 asserts the ERROR output to the 80286 to 
signal the exception and invoke a software exception handler. 


The NPX reports an exception by setting the corresponding flag in the NPX status word to 1. The 
NPX then checks the corresponding exception mask in the control word to determine if it should 
“field” the exception (mask=1), or if it should signal the exception to the CPU to invoke a software 
exception handler (mask=0). 


If the mask is set, the exception is said to be masked (from user software), and the NPX executes its 
on-chip masked response for that exception. If the mask is not set (mask=0), the exception is unmasked, 
and the NPX performs its unmasked response. The masked response always produces a standard result, 
then proceeds with the instruction. The unmasked response always traps to a software exception handler, 
allowing the CPU to recognize and take action on the exception. Table 1-17 gives a complete descrip- 
tion of all exception conditions and the NPX’s masked response. 
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Table 1-17. Exception Conditions and Masked Responses 


Invalid Operation 


Source register is tagged empty (usually due 
to stack underflow). 


Destination register is not tagged empty 
(usually due to stack overflow). 


One or both operands is a NaN. 


(Compare and test operations only): one or 
both operands is a NaN. 


(Addition operations only): closure is affine and 
operands are opposite-signed infinities; or 


closure is projective and both operands are co 


(Signs immaterial). 


(Subtraction operations only): closure is affine 
and operands are like-signed infinities; or 
closure is projective and both operands are co 
(signs immaterial). 


ne eaton operations St ee: 


foor 


or 0 + pseudo zero; or divisor is denormal or 
unnormal. 


(FPREM instruction only): modulus (divisor) is 
unnormal or denormal; or dividend is oo. 


(FSQRT instruction only): operand is nonzero 
and negative; or operand is denormal or 
unnormal; or closure is affine and operand is 
—co; or closure is projective and operand is 
Oo. 


(Compare operations only): closure is projec- 


tive and oo is being compared with 0, a normal, 
Or oo. 


>" 0; or O*, 


(Division operations only): co + 00; or 0 + 0; : 


(FTST instruction only): closure is projective | 


and operand is oo. 


(FIST, FISTP instructions only): source regis- 
ter is empty, a NaN, denormal, unnormal, oo, 
or exceeds representable range of destina- 
tion. 


(FBSTP instruction only): source: register is 


empty, a NaN, denormal, unnormal, oo, or 
exceeds 18 decimal digits. 


(FST, FSTP instructions only): destination is — 


short or long real and source register is an 
unnormal with exponent in range. 


(FXCH instruction only): one or both registers 
is tagged empty. 


Return real indefinite. 
Return real indefinite (overwrite destination 


value). 


Return NaN with larger absolute value (ignore 
signs). | 
Set condition codes ‘“‘not comparable.” 


Return real indefinite. 
Return real indefinite. 


Return real indefinite. 


Return real indefinite. 


Return real indefinite, set condition code = 
“complete remainder.”’ 
) : 


Return real indefinite. 


Set condition code = “‘not comparable.” 


Set condition code = ‘‘not comparable.” 


Store integer indefinite. 


Stored packed decimal indefinite. 


- Store real indefinite. 
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Change empty register(s) to real indefinite and 
then perform exchange. 
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Table 1-17. Exception Conditions and Masked Responses (Cont’d.) 


Condition Masked Response 
Denormalized Operand 


(FLD instruction only): source operand is 
denormal. 


No special action; load as usual. 


Convert (in a work area) the operand to the 
equivalent unnormal and proceed. 


Convert (in a work area) any denormal to the 
both operands is denormal or unnormal (other equivalent unnormal; normalize as much as 
than pseudo zero). possible, and proceed with operation. 


(Division operations only): divisor = 0. 


(Arithmetic operations only): one or both 
operands is denormal. : , 


-(Compare and test operations only): one or 


Return oo signed with ‘‘exclusive or’’ 
operand signs. 


(Arithmetic operations only): rounding is 
nearest or chop, and exponent of true result 
> 16,383. 


(FST, FSTP instructions only): rounding is 
nearest or chop, and exponent of true result 
> +127 (short real destination) or > +1023 
(long real destination). 


Return properly signed oo and signal precision 
exception. | 


Return properly signed oo and signal precision 
exception. 


(Arithmetic operations only): exponent of true 
result < — 16,382 (true). 


Denormalize until exponent rises to — 16,382 
(true), round significand to 64 bits. If denor- 

- malized rounded significand = 0, then return 
true 0; else, return denormal (tag = special, 
biased exponent = 0). 


Denormalize until exponent rises to —126 
(true), round significand to 24 bits, store true 0 
if denormalized rounded significand = 0; else, 
store denormal (biased exponent = 0). 


Denormalize until exponent rises to —1022 
(true), round significand to 53 bits, store true 0 
if rounded denormalized significand = 0; else, 
store denormal (biased exponent = 0). 


(FST, FSTP instructions only): destination is 
short real and exponent of true result < —126 
(true). 


(FST, FSTP instructions only): destination is 
long real and exponent of true result < —1022 
(true). 


True rounding error occurs. No special action. 


Masked response to overflow exception earlier 
in instruction. 


No special action. 


Note that when exceptions are masked, the NPX may detect multiple exceptions in a single instruction, 
because it continues executing the instruction after performing its masked response. For example, the 
80287 could detect a denormalized operand, perform its masked response to this exception, and then 
detect an underflow. 
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Automatic Exception Handling 


As described in the previous section, when the 80287 NPX encounters an exception condition whose | 
corresponding mask bit in the NPX control word is set, the NPX automatically performs an internal 
fix-up (masked-exception) response. The 80287 NPX has a default fix-up activity for every possible 
exception condition it may encounter. These masked-exception responses are designed to be safe and 
are generally acceptable for most numeric applications. 


As an example of how even severe exceptions can be handled safely and automatically using the NPX’s 
default exception responses, consider a calculation of the parallel resistance of several values using 
only the standard formula (figure 1-11). If R1 becomes zero, the circuit resistance.becomes zero. With 
the divide-by-zero and precision exceptions masked, the 80287 NPX will produce the correct result. 


By masking or unmasking specific numeric exceptions in the NPX control word, NPX programmers 
can delegate responsibility for most exceptions to the NPX, reserving the most severe exceptions for 
programmed exception handlers. Exception-handling software is often difficult to write, and the NPX’s 
masked responses have been tailored to deliver the most reasonable result for each condition. For the 
majority of applications, programmers will find that masking all exceptions other than Invalid Opera- 
tion will yield satisfactory results with the least programming effort. An Invalid Operation exception 
normally indicates a fatal error in a program that must be corrected; this exception should not normally 
be masked. ~ | | | 7 


The exception flags in the NPX status word provide a cumulative record of exceptions that have occurred 
since these flags were last cleared. Once set, these flags can be cleared only by executing the FCLEX 
(clear exceptions) instruction, by reinitializing the NPX, or by overwriting the flags with an FRSTOR 
or FLDENV instruction. This allows a programmer to mask all exceptions (except invalid operation), 
run a calculation, and then inspect the status word to see if any exceptions were detected at any point 
in the calculation. | oo | 


Software Exception Handling 


If the NPX encounters an unmasked exception condition, it signals the exception’to the 80286 CPU 
using the ERROR status line between the two processors. 


EQUIVALENT RESISTANCE = 


122164-11 


Figure 1-11. Arithmetic Example Using Infinity 


1-36 122164-001 


a ® 
intel OVERVIEW OF NUMERIC PROCESSING 


The next time the 80286 CPU encounters a WAIT or ESC instruction in its instruction stream, the 
80286 will detect the active condition of the ERROR status line and automatically trap to an exception 
response routine using interrupt #16—the Processor Extension Error exception. 


This exception response routine is typically a part of the systems software. Typical exception responses 
may include 


e Incrementing an exception counter for later display or printing 
e Printing or displaying diagnostic information (e.g., the 80287 environment and registers) 
¢ Aborting further execution 


e Using the exception pointers to build an instruction that will run without exception and executing 
it 


Application programmers on iAPX 286 systems having systems software support for the 80287 NPX 
should consult their references for the appropriate system response to NPX exceptions. For systems 
programmers, specific details on writing software exception handlers are included in the section “System- 
Level Numeric Programming” later in this supplement. 


The 80287 NPX differs from the 8087 NPX in the manner in which numeric exceptions are signalled 
to the CPU; the 8087 requires an interrupt controller (8259A) to interrupt the CPU, while the 80287 
does not. Programmers upgrading iAPX 86/20 software to operate on iAPX 286 systems should be 
aware of these differences and any implications they might have on numeric exception-handling software. 
Appendix B explains the differences between the 80287 and the 8087 NPX in greater detail. 
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| CHAPTER 2 
PROGRAMMING NUMERIC APPLICATIONS 


Programmers developing applications for the 80287 have a wide range of instructions and program- 
ming alternatives from which to choose. 


The following sections describe the 80287 instruction set in detail, and follow up with a discussion of 
several of the programming facilities that are available to programmers of iAPX 286/20 systems. 


THE 80287 NPX INSTRUCTION SET 


This section describes the operation of all 80287 instructions. Within this section, the instructions are 
divided into six functional classes: 


e Data Transfer instructions 
e Arithmetic instructions 

¢« Comparison instructions 

e Transcendental instructions 
e Constant instructions 


e Processor Control instructions 


At the end of this section, each of the instructions is described in terms of its execution speed, bus 
transfers, and exceptions, as well as a coding example for each combination of operands accepted by 
the instruction. For easy reference, this information is concentrated into a table, organized alphabeti- 
cally by instruction mnemonic. 


Throughout this section, the instruction set is described as it appears to the ‘ASM286 programmer who 
is coding a program. Appendix A covers the actual machine instruction encodings, which are princi- 
pally of use to those reading unformatted memory dumps, monitoring instruction fetches on the bus, 
or writing exception handlers. - 


Compatibility with the 8087 NPX 


The instruction set for the 80287 NPX is largely the same as that for the 8087 NPX used with iAPX 
86 and 88 systems. Most object programs generated for iAPX 86/20 systems (8086 and 8087) will 
execute without change on iAPX 286/20 systems. Several instructions are new to the 80287, and several 
8087 instructions perform no useful function on the 80287. Appendix B at the back of this supplement 
gives details of these instruction set differences and of the differences in the ASM86 and ASM286 
assemblers. 


Numeric Operands 


The typical NPX instruction accepts one or two operands as inputs,-operates on these, and produces a 
result as an output. Operands are most often (the contents of) register or memory locations. The operands 
of some instructions are predefined; for example, FSQRT always takes the square root of the number 
in the top stack element. Others allow, or require, the programmer to explicitly code the operand(s) 
along with the instruction mnemonic. Still others accept one explicit pperene and one implicit operand, 
which is usually the top stack element. 
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Whether supplied by the programmer or utilized automatically, the two basic types of operands are 
sources and destinations. A source operand simply supplies one of the inputs to an instruction; it is not 
altered by the instruction. Even when an instruction converts the source operand from one format to 
another (e.g., real to integer), the conversion is actually performed in an internal work area to avoid 
altering the source operand. A destination operand may also provide an input to an instruction. It is 
distinguished from a source operand, however, because its content may be altered when it receives the 
result produced by the operation; that is, the destination is replaced by the result. 7 


Many instructions allow their operands to be coded in more than one way. For example, FADD (add 
real) may be written without operands, with only a source or with a destination and a source. The 
instruction descriptions in this section employ the simple convention of separating alternative operand 
forms with slashes; the slashes, however, are not coded. Consecutive slashes indicate an option of no 
explicit operands. The operands for FADD are thus described as 


//source/destination, source 


This means that FADD may be written in any of three ways: 


FADD 
FADD source 
FADD destination, source 


When reading this section, it is important to bear in mind that memory operands may be coded with 
any of the CPU’s memory addressing modes. To review these modes—direct, register indirect, based, 
indexed, based indexed—refer to the i:APX 286 Programmer’s Reference Manual. Table 2-17 later in 
this chapter also provides several addressing mode examples. 


Data Transfer Instructions | 


These instructions (summarized in table 2-1) move operands among elements of the register stack, and 
between the stack top and memory. Any of the seven data types can be converted to temporary real 
and loaded (pushed) onto the stack in a single operation; they can be stored to memory in the same 
manner. The data transfer instructions automatically update the 80287 tag word to reflect the register 
contents following the instruction. 


Table 2-1. Data Transfer Instructions 


Real Transfers | 


Load real 
Store real 
Store real and pop 
Exchange registers 


Integer Transfers - 


Integer load 
Integer store 
nied? store ene pop 


Packed Decimal Transfers 


Packed.decimal (BCD) load 
Packed decimal (BCD) store and pop 
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FLD source 


FLD (load real) loads (pushes) the source operand onto the top of the register stack. This is done by 
decrementing the stack pointer by one and then copying the content of the source to the new stack top. 
The source may be a register on the stack (ST(i)) or any of the real data types in memory. Short and 
long real source operands are converted to temporary real automatically. Coding FLD ST(0) duplicates 
the stack top. 


FST destination 


FST (store real) transfers the stack top to the destination, which may be another register on the stack 
or a short or long real memory operand. If the destination is short or long real, the significand is 
rounded to the width of the destination according to the RC field of the control word, and the exponent 
is converted to the width and bias of the destination format. 


If, however, the stack top is tagged special (it contains co, a NaN, or a denormal) then the stack top’s 
significand is not rounded but is chopped (on the right) to fit the destination. Neither is the exponent 
converted, but it also is chopped on the right and transferred “‘as is.” This preserves the value’s identi- 
fication as co ora NaN (exponent all ones) or a denormal (exponent all zeros) so that it can be properly 
loaded and tagged later in the program if desired. 


one destination 


FSTP (store real and pop) operates identically to FST except that the stack is popped following the 
transfer. This is done by tagging the top stack element empty and then incrementing ST. FSTP permits 
storing to a temporary real memory variable, whereas FST does not. Coding FSTP ST(0) is equivalent 
to popping the stack with no data transfer. 


FXCH //destination 


FXCH (exchange registers) swaps the contents of the destination and the stack top registers. If the 
destination is not coded explicitly, ST(1) is used. Many 80287 instructions operate only on the stack 
top; FXCH provides a simple means of effectively using these instructions on lower stack elements. 
For example, the following sequence takes the square root of the third register from the top: 


FILD source 
FILD (integer load) converts the source memory operand from its binary integer format (word, short, 


or long) to temporary real and loads (pushes) the result onto the stack. The (new) stack top is tagged 
zero if all bits in the source were zero, and is tagged valid otherwise. 


FIST destination 


FIST (integer store) rounds the content of the stack top to an integer according to the RC field of the 
control word and transfers the result to the destination. The destination may define a word or short 
integer variable. Negative zero is stored in the same encoding as positive zero: 0000...00. 
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FISTP destination 


FISTP (integer and pop). operates like FIST and also pops the stack following the transfer. The desti- 
nation may be any of the binary integer data types. 


FBLD source 


FBLD (packed decimal (BCD) load) converts the content of the source operand from packed decimal 
to temporary real and loads (pushes) the result onto the stack. The sign of the source is preserved, 
including the case where the value is negative zero. FBLD is an exact operation; the source is noadee 
with no rounding error. 


The packed decimal digits of the source are assumed to be in the range 0—9H. The instruction does not 
check for invalid digits (A-FH) and the result of attempting to load an invalid encoding is undefined. 


FBSTP destination 


FBSTP (packed decimal (BCD) store and pop) converts the content of the stack top to a packed 
decimal integer, stores the result at the destination in memory, and pops the stack. FBSTP produces a 
rounded integer from a nonintegral value by adding 0.5 to the value and then chopping. Users who are 
concerned about rounding may precede FBSTP with FRNDINT. 


Arithmetic Instructions 


The 80287’s arithmetic instruction set (table 2-2) provides a wealth of variations on the basic add, 

subtract, multiply, and divide operations, and a number of other useful functions. These range from a 
simple absolute value to a square root instruction that executes faster than ordinary division; 80287 
programmers no longer need to spend valuable time eliminating square roots from algorithms because 
they run too slowly. Other arithmetic instructions perform exact modulo division, round real numbers 
to integers, and scale values by powers of two. 


The 80287’s basic arithmetic instructions (addition, subtraction, multiplication, and division) are 
designed to encourage the development of very efficient algorithms. In particular, they allow the 
programmer to minimize memory references and to make optimum use of the NPX register stack. 


Table 2-3 summarizes the available operation/operand forms that are provided for basic arithmetic. In 
addition to the four normal operations, two “reversed” instructions: make subtraction and division 
“symmetrical” like addition and multiplication. The variety of instruction and operand forms give the 
programmer unusual flexibility: 

e Operands may be located in registers or memory. 

e Results may be deposited in a choice of registers. 


¢ Operands may be a variety of NPX data types: temporary real, long real, short real, short jaitedet 
or word integer, with automatic conversion to temporary real performed by the 80287. 
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Table 2-2. Arithmetic Instructions 


Addition 


Add real 
Add real and pop 
Integer add 


Subtract real 

Subtract real and pop 

Integer subtract 

Subtract real reversed 
Subtract real reversed and pop 
Integer subtract reversed 


Multiply real 
Multiply real and pop 
Integer multiply 


Divide real 

Divide real and pop 

Integer divide. 

Divide real reversed 

Divide real reversed and pop 
Integer divide reversed 


Square root 

Scale 

Partial remainder 

Round to integer 

Extract exponent and significand 
Absolute value 

Change sign 


Five basic instruction forms may be used across all six operations, as shown in table 2-3. The classicial 
stack form may be used to make the 80287 operate like a classical stack machine. No operands are 
coded in this form, only the instruction mnemonic. The NPX picks the source operand from the stack 
top and the destination from the next stack element. It then pops the stack, performs the operation, 
and returns the result to the new stack top, effectively replacing the operands by the result. 


The register form is a generalization of the classical stack form; the programmer specifies the stack 
top as one operand and any register on the stack as the other operand. Coding the stack top as the 
destination provides a convenient way to access a constant, held elsewhere in the stack, from the stack 
top. The converse coding (ST is the source operand) allows, for example, adding the top into a register 
used as an accumulator. 


Often the operand in the stack top is needed for one operation but then is of no further use in the 
computation. The register pop form can be used to pick up the stack top as the source operand, and 
then discard it by popping the stack. Coding operands of ST(1),ST with a register pop mnemonic is 
equivalent to a classical stack operation: the top is popped and the result is left at the new top. | 
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Table 2-3. Basic Arithmetic Instructions and Operands 


Mnemonic cherie Forms 


Classical stack { ST(1),ST } 


Register ST(i),ST or ST,ST(i) . ST,ST(3) 
Register pop | x ST(i),ST ST(2),ST 
Real memory {ST,} short-real/long-real AZIMUTH 
Integer memory {ST,} word-integer/short-integer N_PULSES 


NOTES: 
Braces ({ }) surround implicit operands; these are not coded, and are shown here for information only. 


op = ADD destination « destination + source 
SUB destination « destination — source 
SUBR destination « source — destination 
MUL destination ¢ destination » source 
DIV destination + destination + source 
DIVR destination ¢ source + destination 


The two memory forms increase the flexibility of the 80287’s arithmetic instructions. They permit a 
real number or a binary integer in memory to be used directly as a source operand. This is a very useful 
facility in situations where operands are not used frequently enough to justify holding them in registers. 
Note that any memory addressing mode may be used to define these operands, so they may be elements 
in arrays, structures, or other data organizations, as well as simple scalars. 


The six basic operations are discussed further in the next paragraphs, and descriptions of the remaining 
seven arithmetic operations follow. 


ADDITION 

FADD //source/destination,source 
FADDP  destination/source 

FIADD source 


The addition instructions (add real, add real: and pop, integer add) add the source and destination 
operands and return the sum to the destination. The operand at the stack top may be doubled by 
coding: 


FADD ST,STCO) 


NORMAL SUBTRACTION 

FSUB //source/destination,source 
FSUBP destination/source — 

FISUB source 


The normal subtraction instructions (subtract real, subtract real and pop, integer subtract) subtract 
the source operand from the destination and return the difference to the destination. 


REVERSED SUBTRACTION 

FSUBR  //source/destination,source 
FSUBRP destination/source 

FISUBR source 
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The reversed subtraction instructions (subtract real reversed, subtract real reversed and pop, integer 
subtract reversed) subtract the destination from the source and return the difference to the destination. 


MULTIPLICATION 

FMUL //source/destination,source 
FMULP  destination,source 

FIMUL source | 


The multiplication instructions (multiply real, multiply real and pop, integer multiply) multiply the 


source and destination operands and return the product to the destination. Coding FMUL ST,ST(0) 
squares the content of the stack top. 


NORMAL DIVISION 


FDIV //source/destination,source 
FDIVP destination,source 
FIDIV source 


The normal division instructions (divide real, divide real and pop, integer divide) divide the destination 
by the source and return the quotient to the destination. 


REVERSED DIVISION 

FDIVR //source/destination,source 
FDIVRP destination,source 

FIDIVR source 


The reversed division instructions (divide real reversed, divide real reversed and pop, integer divide 
reversed) divide the source operand by the destination and return the quotient to the destination. 
FSQRT 

FSQRT (square root) replaces the content of the top stack element with its square root. (Note: The 


square root of —O is defined to be —0.) 


FSCALE 


FSCALE (scale) interprets the value contained in ST(1) as an integer and adds this value to the exponent 
of the number in ST. This is equivalent to 


ST © STe 25%! 


Thus, FSCALE provides rapid multiplication or division by integral powers of 2. It is particularly 
useful for scaling the elements of a vector. 


Note that FSCALE assumes the scale factor in ST(1) is an integral value in the range —2°9=* <2! 
If the value is not integral, but is in-range and is greater in magnitude than 1, FSCALE uses the 
nearest integer smaller in magnitude; i.e., it chops the value toward 0. If the value is out of range, or 0 
<I1X1!< 1, the instruction will produce an undefined result and will not signal an exception. The 
recommended practice is to load the scale factor from a word integer to ensure correct operation. 


FPREM 


FPREM (partial remainder) performs modulo division of the top stack element by the next stack 
element, i.e., ST(1) is the modulus. FPREM produces an exact result; the precision exception does not 
occur. The sign of the remainder is the same as the sign of the original dividend. 
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FPREM operates by performing successive scaled subtractions; obtaining the exact remainder when 
the operands differ greatly in magnitude can consume large amounts of execution time. Because the 
80287 can only be preempted between instructions, the remainder function could seriously increase 
interrupt latency in these cases. Accordingly, the instruction is designed to be executed iteratively in a 
software-controlled loop. _ | 


FPREM can reduce a magnitude difference of up to 2“ in one execution. If FPREM produces a 
remainder that is less than the modulus, the function is complete and bit C2 of the status word condi- 
tion code is cleared. If the function is incomplete, C2 is set to 1; the result in ST is then called the 
partial remainder. Software can inspect C2 by storing the status word following execution of FPREM 
and re-execute the instruction (using the partial remainder in ST as the dividend), until C2 is cleared. 
Alternatively, a program can determine when the function is complete by comparing ST to ST(1). If 
ST>ST(1), then FPREM must be executed again; if ST=ST(1), then the remainder is 0; if ST<ST(1), 
then the remainder is ST. A higher priority interrupting routine that needs the 80287 can force a 
context switch between the instructions in the remainder loop. 


An important use for FPREM is to reduce arguments (operands) of periodic transcendental functions 
to the range permitted by these instructions. For example, the FPTAN (tangent) instruction requires 
_ its argument to be less than w/4. Using 7/4 as a modulus, FPREM will reduce an argument so that it 
is in range of FPTAN. Because FPREM produces an exact result, the argument reduction does not 
introduce roundoff error into the calculation, even if several iterations are required to bring the argument 
into range. (The rounding of a does not create the effect of a rounded argument, but of a rounded 
period.) 


FPREM also provides the least-significant three bits of the quotient generated by FPREM (in G,, C,, 
C,). This is also important for transcendental argument reduction, because it locates the original angle 
in the correct one of eight 7/4 segments of the unit circle (see table 2-4). If the quotient is less than 4, 
then CO will be the value of C3 before FRREM was executed. If the quotient is less than 2, then C3 
will be the value of C1 before FPREM was executed. 


Table 2-4. Condition Code Interpretation after FPREM 


Condition Code 


X 1 Xx X 


Incomplete Reduction; 
further iteration is required for complete 
reduction. 


Complete Reduction; | : 
C1, C3, and CO contain the three least- . 
significant bits of quotient: 


(Quotient) MOD 8 = 0 
(Quotient) MOD 8 = 4 
(Quotient) MOD 8 = 1 
(Quotient) MOD 8 = 5 
(Quotient) MOD 8 = 2 
(Quotient) MOD 8 = 6 
(Quotient) MOD 8 = 3. 
(Quotient) MOD 8 = 7— 


0 
0 
: . 

0 

1 

1 

1 

, 


O0OOOOOO Oo 
~~ Os Oo -= CO = CO 
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FRNDINT 


FRNDINT (round to integer) rounds the top stack element to an integer. For example, assume that 
ST contains the 80287 real number encoding of the decimal value 155.625. FRNDINT will change 
the value to 155 if the RC field of the control word is set to down or chop, or to 156 if it is set to up 
or nearest. 


FXTRACT 


FXTRACT (extract exponent and significand) “decomposes” the number in the stack top into two 
numbers that represent the actual value of the operand’s exponent and significand fields. The “exponent” 
replaces the original operand on the stack and the “‘significand” is pushed onto the stack. Following 
execution of FXTRACT, ST (the new stack top) contains the value of the original significand expressed 
as a real number: its sign is the same as the operand’s, its exponent is 0 true (16,383 or 3FFFH biased), 
and its significand is identical to the original operand’s. ST(1) contains the value of the original operand’s 
true (unbiased) exponent expressed as a real number. If the original operand is zero, FXKTRACT 
produces zeros in ST and ST(1) and both are signed as the original operand. 


To clarify the operation of FXKTRACT, assume ST contains a number of whose true exponent is +4 
(i.e., its exponent field contains 4003H). After executing FXTRACT, ST(1) will contain the real number 
+ 4.0; its sign will be positive, its exponent field will contain 4001H (+2 true) and its significand field 
will contain 1A00...00B. In other words, the value in ST(1) will be 1.0 X 2? = 4. If ST contains an 
operand whose true exponent is —7 (i.e., its exponent field contains 3FF8H), then FKTRACT will 
return an “exponent” of —7.0; after the instruction executes, ST(1)’s sign and exponent fields will 
contain CO0O1H (negative sign, true exponent of 2), and its significand will be 141100...00B. In other 
words, the value in ST(1) will be —1.11 * 2? = —7.0. In both cases, following FXKTRACT, ST’s sign 
and significand fields will be the same as the original operand’s, and its exponent field will contain 
3FFFH (0 true). 


FXTRACT is useful in conjunction with FBSTP for converting numbers in 80287 temporary real format 


to decimal representations (e.g., for printing or displaying). It can also be useful for debugging, because 
it allows the exponent and significant parts of a real number to be examined separately. 


FABS 


FABS (absolute value) changes the top stack element to its absolute value by making its sign positive. - 


FCHS 


FCHS (change sign) complements (reverses) the sign of the top stack element. 


Comparison Instructions 


Each of these instructions (table 2-5) analyzes the top stack element, often in relationship to another 
operand, and reports the result in the status word condition code. The basic operations are compare, 
test (compare with zero), and examine (report tag, sign, and normalization). Special forms of the compare 
operation are provided to optimize algorithms by allowing direct comparisons with binary integers and 
real numbers in memory, as well as popping the stack after a comparison. 


The FSTSW (store status word) instruction may be used following a comparison to transfer the condi- . 
tion code to memory for inspection. : 
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Note that instructions other than those in the comparison group may update the condition code. To 
ensure that the status word is not altered inadvertently, store it immediately following a comparison 
operation. 


FCOM //source | 

FCOM (compare real) compares the stack top to the source operand. The source operand may be a 
register on the stack, or a short or long real memory operand. If an operand is not coded, ST is compared 
to ST(1). Positive and negative forms of zero compare identically as if they were unsigned. Following 
the instruction, the condition codes reflect the order of the operands as shown in table 2-6. - 

NaNs and oo (preieenve) cannot be compared and return C3=C0O=1 as shown in ‘ie table. 
FCOMP //source | 

FCOMP (compare real and pop) operates like FCOM, and in addition pops the stack. 

FCOMPP 

FCOMPP (compare real and pop twice) operates like FCOM and additionally pops the stack twice, 


discarding both operands. The comparison is ol the stack top to ST(1); no operands may be expaciy 
coded. * § 


FICOM source 


FICOM (integer compare) converts the source operand, which may iperenees a word or " short binary 
integer variable, to temporary real and compares the stack top to it. 


FICOMP source 


FICOMP (integer compare and pop) operates identically to FICOM and additionally discards the 
value in ST by popping the stack. 


Table 2-5. Comparison Instructions 


Compare real 
Compare real and pop 
Compare real and pop twice 


Integer compare 

Integer compare and pop 
Test 

Examine 


Table 2-6. Condition Code Interpretation after FCOM . 


Condition Code | 
Interpretation after FCOM 


ST > source 
ST < source 
ST = source 
ST is not comparable 
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FTST 


FTST (test) tests the top stack element by comparing it to zero. The result is posted to the condition 
codes as shown in table 2-7. 


FXAM 


FXAM (examine) reports the content of the top stack element as positive/negative and NaN/unnor- 
mal/denormal/normal/zero, or empty. Table 2-8 lists and interprets all the condition code values that 
FXAM generates. Although four different encodings may be returned for an empty register, bits C3 
and CO of the condition code are both | in all encodings. Bits C2 and Cl should be ignored when 
examining for empty. - 


Transcendental Instructions 


The instructions in this group (table 2-9) perform the time-consuming core calculations for all common 
trigonometric, inverse trigonometric, hyperbolic, inverse hyperbolic, logarithmic, and exponential 
functions. Prologue and epilogue software may be used to reduce arguments to the range accepted by 
the instructions and to adjust the result to correspond to the original arguments if necessary. The 
transcendentals operate on the top one or two stack elements, and they return their results to the stack, 
also. 


Table 2-7. Condition Code Interpretation after FTST 


Condition Code 


Interpretation after FTST 


ST > 0 
ST <0 
ST = 0 
ST is not comparable; (i.e., it is a NaN or projective infinity) 


Table 2-8. FXAM Condition Code Settings 


Condition Code 
_ Interpretation 


+ Unnormal 
+ NaN 

— Unnormal 
— NaN 

+ Normal 
“OO 

— Normal 
—~ C&O 

+ 0 

Empty 

=D 


Empty 
+ Denormal 
Empty 
— Denormal 
Empty 


0 
0 
9) 
0 
0 
) 
0 
0 
1 
1 
1 
1 
1 
1 
1 
1 


=] 4 4 OOOO = = = Oooo 
—= 4 OO 4 oo 4 oo = 0 o 
-“Ao-(o0o0-0-00 000 
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Table 2-9. Transcendental Instructions 


FPTAN Partial tangent 
FPATAN Partial arctangent 
F2XM1 2h] 


FYL2X Y # logoX 
FYL2XP1 Y *log.(X + 1) 


NOTE 


The transcendental instructions assume that their operands are valid and in-range. The — 
instruction descriptions in this section provide the allowed operand range of each instruction. 


_ All operands to a transcendental must be normalized; denormals, unnormals, infinities, and NaNs are 
considered invalid. (Zero operands are accepted by some functions and are considered out-of-range by 
others). If a transcendental operand is invalid or out-of-range, the instruction will produce an undefined 
result without signalling an exception. It is the programmer’s responsibility to ensure that operands are 
valid and in-range before executing a transcendental. For periodic functions, FPREM may be used to 
bring a valid operand into range. __ | | 


FPTAN 
0 < ST(0) =< 7/4 


FPTAN (partial tangent) computes the function Y/X = TAN (6). @ is taken from the top stack 
element; it must lie in the range 0 = © < 7/4. The result of the operation is a ratio; Y replaces © in 
the stack and X is pushed, becoming the new stack top. 


The ratio result of FPTAN and the ratio argument of FPATAN are designed to optimize the calcula- 
tion of the other trigonometric functions, including SIN, COS, ARCSIN, and ARCCOS. These can 
be derived from TAN and ARCTAN via standard trigonometric identities. 


FPATAN 
O < ST(1) < ST(O) < c 


FPATAN (partial arctangent) computes the function 0 = ARCTAN (Y/X). X is taken from the top 
stack element and Y from ST(1). Y and X must observe the inequality 0 = Y < X < oo. The 
instruction pops the stack and returns © to the (new) stack top, overwriting the Y operand. | 


F2XM1 
0 = ST(0O) = 0.5 


F2XM1 (2 to the X minus 1) calculates the function Y = 2% —1. X is taken from the stack top and 
must be in the range 0 = X < 0.5. The result Y replaces X at the stack top. 


This instruction is designed to produce a very accurate result even when X is close to 0. To obtain 
Y =2*, add 1 to the result delivered by F2XM1. 


The following formulas show how values other than 2 may be raised to a power of X: 


| Ox —_ xeLOG210 
e = DxLOG2e 
y* = Dx LOG2Y 
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As shown in the next section, the 80287 has built-in instructions for loading the constants LOG,10 and 
LOG,e, and the FYL2X instruction may be used to calculate X*eLOG,Y. 


FYL2X 
0 < ST(O) < cj-—-o@ < ST(1) < c 


FYL2X (Y log base 2 of X) calculates the function Z = YeLOG,X. X is taken from the stack top and 
Y from ST(1). The operands must be in the ranges 0 < X < co and — co < Y < + o. The 
instruction pops the stack and returns Z at the (new) stack top, replacing the Y operand. 


This function optimizes the calculations of log to any base other than two, because a multiplication is 
always required: 


LOG,2¢LOG,X 


FYL2XP1 
0 <!ST(0)! < (1—(\/2/2)) 
— co <ST(1) <0 


FYL2XP1 (Y log base 2 of (X + 1)) calculates the function Z = YeLOG, (X-+1). X 1s taken from 
the stack top and must be in the range 0 <1XI < (1—(\/2/2)). Y is taken from ST(1) and must 
be in the range — co < Y < oo. FYL2XP!1 pops the stack and returns Z at the (new) stack top, 
replacing Y. 3 | , 4 


The instruction provides improved accuracy over FYL2X when computing the log of a number very 
close to 1, for example 1 + « where e << 1. Providing « rather than 1 + ¢ as the input to the function 
allows more significant digits to be retained. 

Constant Instructions 

Each of these instructions (table 2-10) loads (pushes) a commonly-used constant onto the stack. The 
values have full temporary real precision (64 bits) and are accurate to approximately 19 decimal digits. 


Because a temporary real constant occupies 10 memory bytes, the constant instructions, which are only 
two bytes long, save storage and improve execution speed, in addition to simplifying programming. 


FLDZ 


FLDZ (load zero) loads (pushes) +0.0 onto the stack. 


FLD1 


FLD1 (load one) loads (pushes) +1.0 onto the stack. 


Table 2-10. Constant Instructions 


FLDZ Load + 0.0 
FLD1 Load + 1.0 
FLDPI Load x 

FLDL2T Load log,10 


FLDL2E © Load loge 
FLDLG2 Load 10gio2 
FLDLN2 Load log.2 
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FLDPI 


FLDPI (load 7) loads (pushes) z onto the stack. 


FLDL2T 


FLDL2T (load log base 2 of 10) loads (pushes) the value LOG,10 onto the stack. 


FLDL2E 


FLDL2E (load log base 2 of e) loads (pushes) the value LOG, onto the stack. 


FLDLG2 


FLDLG2 (load log base 10 of 2) loads (pushes) the value LOG, 2 onto the stack. 


FLDLN2 


FLDLN2 (load log base e of 2) loads (pushes) the value LOG,2 onto the stack. 


Processor Control Instructions 


The processor control instructions shown in table 2-11 are not typically used in calculations; they provide 
control over the 80287 NPX for system-level activities. These activities include initialization, exception 
handling, and task switching. | 


As shown in table 2-11, many of the NPX processor control instructions have two forms of a 
mnemonic: 


; A wait form, where the mnemonic is prefixed only with an F, such as FSTSW. This form checks 
for unmasked numeric errors. 


e A no-wait form, where the mnemonic is prefixed with an FN, such as FNSTSW. This form ignores 
unmasked numeric errors. 


Table 2-11. Processor Control Instructions 


FINIT/FNINIT Initialize processor 
FSETPM | Set Protected Mode 
FLDCW Load control word 
FSTCW/FNSTCW Store control word 
FSTSW/FNSTSW Store status word 
FSTSW AX/FNSTSW AX Store status word to AX 
FCLEX/FNCLEX Clear exceptions 
FSTENV/FNSTENV | , Store Environment 
FLDENV | Load environment 
FSAVE/FNSAVE Save state 

FRSTOR | Restore state 

FINCSTP Increment stack pointer 
FDECSTP — Decrement stack pointer 
FFREE Free register - 

FNOP No operation . 

FWAIT CPU Wait. — 
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When the control instruction is coded using the no-wait form of the mnemonic, the ASM286 assembler 
does not precede the ESC instruction with a wait instruction, and the CPU does not test the ERROR 
status line from the NPX before executing the processor control instruction. 


Only the processor control class of instructions have this alternate no-wait form. All numeric instruc- 
tions are automatically synchronized by the 80286, with the CPU testing the BUSY status line and 
only executing the numeric instruction when this line is inactive. Because of this automatic synchroniz- 
ation by the 80286, numeric instructions for the 80287 need not be preceded by a CPU wait instruction 
in order to execute correctly. 


It should also be noted that the 8087 instructions FENI and FDISI perform no function in the 80287. 
If these opcodes are detected in an 80286/80287 instruction stream, the 80287 will perform no specific 
operation and no internal states will be affected. For programmers interested in porting numeric software 
from iAPX 86 or iAPX 88 environments to the iAPX 286, however, it should be noted that program 
sections containing these exception-handling instructions are not likely to be completely portable to the 
iAPX 286/20. Appendix B contains a more complete description of the differences between the 80287 
and the 8087 NPX. 


FINIT/FNINIT 


FINIT/FNINIT (initialize processor) sets the 80287 NPX into a known state, unaffected by any 
previous activity. The no-wait form of this instruction will cause the 80287 to abort any previous numeric. 
operations currently executing in the NEU. This instruction performs the functional equivalent of a 
hardware RESET, with one exception; FINIT/FNINIT does not affect the current 80287 operating 
mode (either Real-Address mode or Protected mode). FINIT checks for unmasked numeric exceptions, 
FNINIT does not. 


Note that if FNINIT is executed while a previous 80287 memory-referencing instruction is running, 
80287 bus cycles in progress will be aborted. This instruction may be necessary to clear the 80287 if a 
Processor Extension Segment Overrun Exception (Interrupt 9) is detected by the CPU. 


FSETPM 


FSETPM (set Protected mode) sets the operating mode of the 80287 to Protected Virtual-Address 
mode. When the 80287 is first initialized following hardware RESET, it operates in Real-Address 
mode, just as does the 80286 CPU. Once the 80287 NPX has been set into Protected mode, only a 
hardware RESET can return the NPX to operation in Real-Address mode. 


When the 80287 operates in Protected mode, the NPX exception pointers are represented differently 
than they are in Real-Address mode (see the FSAVE and FSTENYV instructions that follow). This 
distinction is evident primarily to writers of numeric exception handlers, however. For Beneta! appli- 
cation programmers, the operating mode of the 80287 need not be a concern. 


FLDCW source 


FLDCW (load control word) replaces the current processor control word with the word defined by the 
source operand. This instruction is typically used to establish or change the 80287’s mode of operation. 
Note that if an exception bit in the status word is set, loading a new control word that unmasks that 
exception and clears the interrupt enable mask will generate an immediate interrupt request before the 
next instruction is executed. When changing modes, the recommended procedure is to first clear any 
exceptions and then load the new control word. | 
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FSTCW/ FNSTCW destination 


FSTCW/ FNSTCW (store control ena writes the current processor control word to the memory 
location defined by the destination. FSTCW cheeks: for unmasked numeric exceptions, FNSTCW 
does not. | | 


FSTSW/FNSTSW destination | 


FSTSW/FNSTCW (store status word) writes the current value of the 80287 status word to the desti- 
nation operand in memory. The instruction is used to 


° Implement conditional branching following a comparison or FPREM instruction (FSTSW) 
© Poll the 80287 to determine if it is busy (FNSTSW) 


° Invoke exception none! in environments that do not use interrupts (FSTSW). 


FSTSW checks for unmasked numeric exceptions, FNSTSW does not. 


FSTSW AX/FNSTSW AX 


FSTSW AX/FNSTSW AX (store status word to AX) is a special 80287 instruction that writes the 
current value of the 80287 status word directly into the 80286 AX register. This instruction optimizes 
conditional branching in numeric programs, where the 80286 CPU must test the condition of various 
NPX status bits. The waited form checks for unmasked numeric exceptions, the non-waited for 
does not. 7 


When this instruction is sfeenied the 80286 AX register is updated with the NPX status word before 
the CPU executes any further instructions. In this way, the 80286 can immediately test the NPX status 
word without any MATT or other synchronization instructions required. | 


FCLEX/FNCLEX 


FCLEX/FNCLEX (clear exceptions) clears all exception flags, the error status flag and the busy flag 
in the status word. As a consequence, the 80287’s ERROR line goes inactive. FCLEX checks for 
unmasked numeric exceptions, FNCLEX does not. 


FSAVE/FNSAVE destination 


FSAVE/FNSAVE (save state) writes the full 80287 state—environment plus register stack—to the 
memory. location defined by the destination operand. Figure 2-1] shows the layout of the 94-byte save 
area; typically the instruction will be coded to save this image on the CPU stack. FNSAVE delays its 
execution until all NPX activity completes normally. Thus, the save image reflects the state of the 
NPX following the completion of any running instruction. After writing the state image to memory, 
FSAVE/FNSAVE initializes the 80287 as if FINIT/FNINIT had been executed. 


FSAVE/FNSAVE is useful whenever a program wants to save the current state of the NPX and 
eran 2e it for a new routine. Three examples are 


e An operating system needs to perform a context Syren b (suspend the task that had been running 
and give control to a new task). 
e An exception handler needs to use the 80287. 


¢ An application task wants to pass a “clean” 80287 to a subroutine. 
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INCREASING ADDRESSES INCREASING ADDRESSES 


15 0 


CONTROL WORD : CONTROL WORD 


STATUS WORD : STATUS WORD 


iTAG WORD . TAG WORD 


INSTRUCTION POINTER (15-0) . IP OFFSET 
INSTRUCTION 
POIN 


TER INSTRUCTION INSTRUCTION 
POINTER (19-16) OPCODE (10-0) CS SELECTOR 


OPERAND DATA POINTER (15-0) ; . DATA OPERAND OFFSET 
POINTER 


DATA POINTER 
(19-16) DATA OPERAND SELECTOR 
SIGNIFICAND 15-0 SIGNIFICAND 15-0 
SIGNIFICAND 31-16 
SIGNIFICAND 47-32 TOP STACK 
ELEMENT:ST 
SIGNIFICAND 63-48 
EXPONENT 14-0 


SIGNIFICAND 31-16 


TOP STACK 


ELEMENT:ST SIGNIFICAND 47-32 


SIGNIFICAND 63-48 


EXPONENT 14-0 


SIGNIFICAND 31-16 


NEXT STACK 
ELEMENT:ST(1) 


SIGNIFICAND 31-16 

zi NEXT STACK 
SIGNIFICAND 47-32 ELEMENT:ST(1) 
SIGNIFICAND 63-48 


s EXPONENT 14-0 


SIGNIFICAND 47-32 


SIGNIFICAND 63-48 


EXPONENT 14-0 


SIGNIFICAND 15-0 
SIGNIFICAND 31-16 


SIGNIFICAND 15-0 


: SIGNIFICAND 31-16 
LAST STACK 
ELEMENT:ST(7) SIGNIFICAND 47-32 LAST STACK 


ELEMENT:ST(7) SIGNIFICAND 47-32 


SIGNIFICAND 63-48 


EXPONENT 14-0 


SIGNIFICAND 63-48 


| SIGNIFICAND 15-0 ! SIGNIFICAND 15-0 


EXPONENT 14-0 
REAL MODE PROTECTED MODE 


NOTES: 
S = Sign 
Bit 0 of each field is rightmost, least significant bit of corresponding 
register field. 
Bit 63 of significand is integer bit (assumed binary point is immediately 


to the right). 122164-12 


Figure 2-1. FSAVE/FRSTOR Memory Layout 


FSAVE checks for unmasked numeric errors before executing, FNSAVE does not. An FWAIT should 
be executed before CPU interrupts are enabled or any subsequent 80287 instruction is executed. Other 
CPU instructions may be executed between the FNSAVE/FSAVE and the FWAIT. | 


FRSTOR source 


FRSTOR (restore state) reloads the 80287 from the 94-byte memory area defined by the source operand. 
This information should have been written by a previous FSFAVE/FNSAVE instruction and not altered 
by any other instruction. An FWAIT is not required after FRSTOR. FRSTOR will automatically wait 
and check for interrupts until all data transfers are completed before continuing to the next instruction. 


Note that the 80287 “reacts” to its new state at the conclusion of the FRSTOR; it will, for example, 


generate an exception request if the exception and mask bits in the memory image so indicate when 
the next WAIT or error-checking-ESC instruction is executed. 
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-FSTENV/FNSTENV destination 


FSTENV/FNSTENV (store environment) writes the 80287’s basic status—control, status, and tag 
words, and exception pointers—to the memory location defined by the destination operand. Typically, 
the environment is saved on the CPU stack. FSTENV/FNSTENV is often used by exception handlers 
because it provides access to the exception pointers that identify the offending instruction and operand. 
After saving the environment, FSTENV/FNSTENYV sets all exception masks in the processor. FSTENV 
checks for pending errors before executing, FNSTENV does not. 


Figure 2-2 shows the format of the environment data in memory. FNSTENV does not store the 
- environment until all NPX activity has completed. Thus, the data saved by the instruction reflects the 
80287 after any previously decoded instruction has been executed. After writing the environment image 
to memory, FNSTENV/FSTENV initializes the 80287 state as if FNINIT/FINIT had been executed. 


FSTENV/FNSTENV must be allowed to complete before any other 80287 instruction is decoded. 
When FSTENYV is coded, an explicit FWAIT, or assembler-generated WAIT, should precede any | 
subsequent 80287 instruction. 


MEMORY MEMORY 
OFFSET : OFFSET 


15 — 0 
: CONTROL WORD +0 


- STATUS WORD . +2 


TAG WORD +4. 


INSTRUCTION POINTER (15-0) +6 
INSTRUCTION INSTRUCTION oe 
POINTER (19-16) OPCODE (10-0) 
DATA POINTER (15-0) 
DATA POINTER 
(19-16) 


12 11 0 


REAL MODE PROTECTED MODE 


| | 122164-13 
Figure 2-2. FSTENV/FLDENV Memory Layout 
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FLDENV source 


FLDENV (load environment) reloads the environment from the memory area defined by the source 
operand. This data should have been written by a previous FSTENV/FNSTENYV instruction. CPU 
instructions (that do not reference the environment image) may immediately follow FLDENV. An 
FWAIT is not required after FLDENV. FLDENV will automatically wait for all data transfers to 
complete before executing the next instruction. 


Note that. loading an environment image that contains an unmasked exception will cause a numeric 
exception when the next WAIT or error-checking-ESC instruction is executed. 


FINCSTP 


FINCSTP (increment stack pointer) adds | to the stack top pointer (ST) in the status word. It does 
not alter tags or register contents, nor does it transfer data. It is not equivalent to popping the stack, 
because it does not set the tag of the previous stack top to empty. Incrementing the stack pointer when 
ST=7 produces ST=0O. 


a 


FDECSTP 


FDECSTP (decrement stack pointer) subtracts | from ST, the stack top pointer in the status word. 
No tags or registers are altered, nor is any data transferred. Executing FDECSTP when ST=0 produces 
ST=7. 


FFREE destination 


FFREE (free register) changes the destination register’s tag to empty; the content of the peice is 
unaffected. | 


FNOP 


FNOP (no operation) stores the stack top to the stack top (FST ST ST(0)) and thus effectively performs 
no operation. 


FWAIT (CPU INSTRUCTION) 


FWAIT is not actually an 80287 instruction, but an alternate mnemonic for the CPU WAIT instruc- 
tion. The FWAIT or WAIT mnemonic should be coded whenever the programmer wants to synchro- 
nize the CPU to the NPX, that is, to suspend further instruction decoding until the NPX has completed 
the current instruction. FWAIT will check for unmasked numeric exceptions. 


NOTE 


A CPU instruction should not attempt to access a memory operand until the 80287 instruc- 
tion has completed. For example, the following coding shows how FWAIT can be used to 
force the CPU instruction to wait for the 80287: | 


FIST VALUE | 
FWAIT ; Wait for FIST to complete 
MOV AX,VALUE : 


More information on when to code an FWAIT instruction is given in a following section of this chapter, 
“Concurrent Processing with the 80287.” — 
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Instruction Set Reference Information 


Table 2-14 later in this chapter lists the operating characteristics of all the 80287 instructions. There 
is one table entry for each instruction mnemonic; the entries are in alphabetical order for quick lookup. 
Each entry provides the general operand forms accepted by the instruction as well as a list of all 
exceptions that may be detected during the operation. 


One entry exists for each combination of operand types that can be coded with the mnemonic. Table 
2-12 explains the operand identifiers allowed in table 2-14. Following this entry are columns that provide 
execution time in clocks, the number of bus transfers run during the operation, the length of the 
instruction in bytes, and an ASM286 coding sample. 


INSTRUCTION EXECUTION TIME 


The execution of an 80287 instruction involves three principal activities, each of wer may contribute 
to the overall execution time of the instruction: | 


¢ 80286 CPU overhead involved in handling the ESC instruction opcode and séiting up the 80287 
NPX 


e Instruction execution by the 80287 NPX 
° Operand transfers between the 80287 NPX and memory or a CPU register 


The timing of these various activities is affected by the individual clock frequencies of the 80286 CPU 
and the 80287 NPX. In addition, slow memories requiring the insertion of wait states in bus cycles, 
and bus contention due to other processors in the system, may lengthen operand transfer times. 


In calculating-an overall execution time for an individual numeric instruction, analysts must take each 
of these activities into account. In most cases, it can be assumed that the numeric instructions have 
already been prefetched by the 80286 and are awaiting execution. 


e The CPU overhead in handling the ESC instruction opcode takes only a single CPU bus cycle 
before the 80287 begins its execution of the numeric instruction. The timing of this bus, cycle is 
determined by the CPU clock. Additional CPU activity is required to set up the 80287’s instruction 
and data pointer registers, but this activity occurs after the 80287 has begun executing its instruc- 
tion, and so this parallel activity does not affect total execution time. 


Table 2-12. Key to Operand Types 


Identifier ‘ad 7 | Explanation | 


ST 
ST(i) 


Stack top; the register currently at the top of the stack. 


A register in the stack i (Q<i<7) stack elements from the 
top. ST(1) is the next-on-stack register, ST(2) is below 
ST(1), etc. 


A short real (82 bits) number in memory. 


Short-real 


Long-real A long real (64 bits) number in memory. 


Temp-real A temporary real (80 bits) number in memory. 


Packed-decimal A packed decimal integer (18 digits, 10 bytes) in memory. 


Word-integer A word binary integer (16 bits) in memory. 


Short-integer A short binary integer (32 bits) in memory. 


- Long-integer A long binary integer (64 bits) in memory. 


nn-bytes A memory area nn bytes long. 
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e The duration of individual numeric instructions executing on the 80287 varies for each instruction. 
Table 2-14 quotes a typical execution clock count and a range for each 80287 instruction. Dividing 
the figures in the table by 5 (for a S-MHz 80287 NPX clock) produces an execution time in micro- 
seconds. The typical case is an estimate for operand values that normally characterize most appli- 
cations. The range encompasses ‘best- and worst-case operand values that may be found in extreme 
circumstances. 


e The operand transfer time required to transfer operands between the 80287 and memory or a CPU 
register depends on the number of words to be transferred, the frequency of the CPU clock control- 
ling bus timing, the number of wait states added to accommodate slower memories, and whether 
operands are based at even or odd memory addresses. Some (small) additional number of bus cycles 
may also be lost due to the asynchronous nature of the PRREQ/PEACK handshaking between the 
80286 and 80287, and this interaction varies with relative frequencies of the CPU and NPX clocks. 


The execution clock counts for the NPX execution of instructions shown in table 2-14 assume that no 
exceptions are detected during execution. Invalid operation, denormalized operand (unmasked), and 
zero divide exceptions usually decrease execution time from the typical figure, but execution still falls 
within the indicated range. The precision exception has no effect on execution time. Unmasked overflow 
and underflow, and masked denormalized exceptions impose additional execution penalties as shown 
in table 2-13. Absolute worst-case execution times are therefore the high range figure plus the largest 
penalty that may be encountered. | 


BUS TRANSFERS 


NPX< instructions that reference memory require bus cycles to transfer operands between the NPX and 
memory. The actual number of transfers depends on the length of the operand and the alignment of 
the operand in memory. In table 2-14, the first figure gives execution clocks for even-addressed operands, 
while the second gives the clock count for odd-addressed operands. 


For operands aligned at word boundaries, that is, based at even memory addresses, each word to be 
transferred requires one bus cycle between the 80286 data channel and memory, and one bus cycle to 
the NPX. For operands based at odd memory addresses, each word transfer requires two bus cycles to 
transfer individual bytes between the 80286 data channel and memory, and one bus cycle to the NPX. 


NOTE 


For best performance, operands for the 80287 should be aligned along word boundaries; that 
is, based at even memory addresses. Operands based at odd memory addresses are transferred 
to memory essentially byte-at-a-time and may take half again as long to transfer as word- 
aligned operands. 


Additional transfer time is required if slow memories are being used, requiring the insertion of wait 


states into the CPU bus cycle. In multiprocessor environments, the bus may not be available immedi- 
ately; this overhead can also increase effective transfer time. 


Table 2-13. Execution Penalties 


Overflow (unmasked) 


Underflow (unmasked) 
Denormalized (masked) 
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INSTRUCTION LENGTH 


80287 instructions that do not reference memory are two bytes long. Memory reference instructions 
vary between two and four bytes. The third and fourth bytes are for the 8- or 16-bit displacement 
values used in conjunction with the standard 80286 memory-addressing modes. 


Note that the lengths quoted in table 2-14 for the processor control instructions (FNINIT, FNSTCW, 
FNSTSW, FNSTSW. AX, FNCLEX, FNSTENV, and FNSAVE) do not include the one-byte CPU 
wait instruction inserted by the ASM286 assembler if the control instruction is coded using the wait 
form of the mnemonic (e.g. FINIT, FSTCW, FSTSW, FSTSW AX, FCLEX, FSTENV, and FSAVE). 
wait and no-wait forms of the processor control instructions have been described in the preceding section 
titled “Processor Control Instructions.” 


Table 2-14. Instruction Set Reference Data 


FABS (no operands) 
Absolute value 


[ Sain eccs 
Operands 


FADD FADD //source/destination,source pe | 
FAI | a ie > A / cas Exceptions: |,D,O,U,P | 


Execution Clocks 


85 


Exceptions: | 


Code 
Bytes 


Operand Word 
Transfers 


Coding Example 


Operand Word 
Transfers 


~ Operands Coding Example 


//ST,ST(i)/ST(i),ST 


0 FADD ST,ST(4) 
short-real 105 2 FADD AIR_TEMP [Sl] 
long-real 110 4 FADD [BX].MEAN 


FADDP - FADDP destination, source 
| Add real and pop 


: Operand Word | Code | 
peice Teeneterd | Bytes vs 
STIDST | 9 | 710s | oo | 2 | FADoP stiast : 


FBLD FBLD source Bie oeiienan | 
. Packed decimal (BCD) load i alc 


: | Execution Clocks 
Operands 
packed-decimal 290-310 FBLD YTD_SALES 


2-22 122164-001 


Exceptions: I, D, O, U,P 


Operands Coding Example 


Operand Word | Code 


Transfers Bytes Coding Example 
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Table 2-14. Instruction Set Reference Data (Cont’d.) 


FBSTP destination 


Packed decimal (BCD) store and pop F*¢ePtions: | 


Execution Clocks 


range | Tans Word | Code 


Transters Coding Example 


Operands 
| Typical | Range | 


FCHS FCHS (no operands) 


Change sign Exceptions: | 


Execution Clocks 
range | ane Word | Code 


Transfers 


Operands Coding Example 


| Typical | Range | 


few |» Low [fe [om 


FCLEX/FNCLEX FCLEX/FNCLEX(no operands) 


Clear exceptions 


Execution Clocks 
| Typical | Range | 
FCOM //source 
Compare real 
Execution Clocks 
Operands 


Exceptions: None 


range | Tans Word | Code 
Transfers 


Coding Example 


Exceptions: |, D 


Operand Word 
Transfers 


Coding Example 


//ST(i) 45 40-50 0 | 2  |FCOM ST(1) 
short-real 65 60-70 2 2-4 |FCOM [BP].UPPER_LIMIT 
long-real 70 65-75 4 2-4 |FCOM WAVELENGTH 


FCOMP //source 
Compare real and pop 


| Execution Clocks 
Operands 


//S1(i) 49-52 
short-real 5 63-73 
long-real 72 67-77 


Exceptions: |, D 


Operand Word 
Transfers 


Coding Example 


{ FCOMP ST(2) 
FCOMP [BP + 2].N_READINGS 
FCOMP. DENSITY 


MO 
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Table 2-14. Instruction Set Reference Data (Cont’d.) 


FCOMPP FCOMPP (no operands) 


Compare real and pop twice Exceptions: |, D 


Execution Clocks 


ravee | rams Word | Code 


Operands Transfers 


Coding Example 
| Typical } Range | 


fees | = [ow [oe [rm 


FDECSTP FDECSTP (no operands) 


Decrement stack pointer Exceptions: None 


Execution Clocks 


anos | ane Word | Code 


Operands Transfers 


Coding Example 
| Typical | Range | 


FDIV FDIV //source/destination,source 


Divide raat Exceptions: |, D, Z, O, U, P 


Execution Clocks 


Operands : 


Operand Word 


Transters Coding Example 


//ST(i), ST 193-203 FDIV 
short-real 215-225 FDIV DISTANCE 
long-real 220-230 FDIV ARC [DI] 


FDIVP destination, source 


Divide realand pop | Exceptions: |, D, Z, 0, U,P 


Execution Clocks 


renee ane Word 


Operands Transfers 


Coding Example 


| Typical | Range 


FDIVR //source/destination, source 


Divide real reversed Exceptions: |, D, Z, O, U, P 


Execution Clocks 


Operands 


//ST,ST(i)/ST(i),S 199 194-204 
short-real — 221 216-226 
long-real 226 221-231 


Operand Word | Code 


Transfers _ Coding Example — 


FDIVR ST(2),ST 
FDIVR [BX].PULSE_RATE 
FDIVR RECORDER.FREQUENCY 
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Table 2-14. Instruction Set Reference Data (Cont’d.) 


FDIVRP FDIVRP destination, source Exceptions: |, D, Z, 0, U, P 


Divide real reversed and pop 


[eeeion coat | 
Operands 


FFREE destination 
Free register 


Execution Clocks 
Operands 


Code 
Bytes 


Operand Word 
Transfers 


Coding Example 


Exceptions: None 


Operand Word 
Transfers 


Code 
Bytes 


Coding Example 


FIADD source 
Integer add 


Execution Clocks 
Operands 


120 | 102-137 1 
125 108-143 9 2-4 


FICOM source 
Integer compare 


Execution Clocks 
Operands Operand Word 
Typical Transfers 


word-integer 80 72-86 1. 2-4 
short-integer 85 78-91 2 2-4 


FICOMP FICOMP source 
Integer compare and pop 


Execution Clocks 
Operand Word | Code 
Operands : 
Typical Transfers Bytes 
7 2-4 
2 2-4 


| word-integer 82 74-88 
short-integer 87 80-93 
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Exceptions: |, D, O, P 


Operand Word 
Transfers 


Coding Example 


FIADD DISTANCE_TRAVELLED 
FIADD PULSE_COUNT [SI] 


word-integer 
short-integer 


Coding Example 


FICOM TOOL.N_PASSES 
FICOM [BP+4].PARM_COUNT 


Exceptions: |, D 


Coding Example 


FICOMP [BP].LIMIT [SI] 
FICOMP N_SAMPLES 
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Table 2-14. Instruction Set Reference Data (Cont’d.) 


FIDIV : FIDIV source Exceptions: |, D, Z, O, U, P 


Integer divide 


Execution Clocks 
hanee | ane Word | Code 


Operands Transfers Bytes 


_ Coding Example 


| Typical | | Range | 


word-integer — 230 224-238 FIDIV SURVEY.OBSERVATIONS 
short-integer 236 230-243 | FIDIV RELATIVE_ANGLE [DI]. 


| FIDIVR FIDIVR source 


Integer divide reversed Exceptions: |, D, Z, O, Us P 


Execution Clocks 


range | ane Word Code 
Transfers 


Operands Coding Example 


| Typical } Range 


{ word-integer 230 225-239 FIDIVR [BP] 1c COORD 
short-integer 237 231-245 FIDIVR FREQUENCY 


FILD source 
Integer load 


Execution Clocks 
Operands 


Exceptions: | 


ieetene Word 
Transfers 


Coding Example 


word-integer 46-54 1 FILD [BX].SEQUENCE 
short-integer . Ze 52-60 2 FILD STANDOFF [DI] 
long-integer 64 60-68 4 FILD RESPONSE.COUNT 


FIMUL source 


Integer multiply Exceptions: ,D,O,P 


Execution Clocks 


Tranee Tans Word 


Operands Transfers 


Coding Example 
| Typical } Range 


word-integer 130 124-138 FIMUL BEARING 
short-integer 136 130-144 FIMUL POSITION.Z_AXIS 


FINCSTP FINCSTP (no operands) 


Increment stack pointer Exceptions: None 


Execution Clocks 
rense | tae Word | Code 
Transfers 


Operands" Coding Example 


| Typical | } Range 
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Table 2-14. Instruction Set Reference Data (Cont’d.) 


FINIT/FNINIT FINIT/FNINIT (no operands) 


Initialize processor Exceptions: None 


Execution Clocks 


Operand Word | Code 


Operands Transfers 


Coding Example 
Typical Range 


FIST destination 


Integer store Exceptions: |, P 


Execution Clocks 
range | Tans Word | Code 
Transfers 


Operands Coding Example 


| Typical | | Range | 


word-integer 86 80-90 FIST OBS. COUNT{[SI] 
short-integer 88 82-92 FIST [BP;].FACTORED_ PULSES 


FISTP FISTP destination 
Integer store and pop 


Execution Clocks 
Operands 


word-integer 
short-integer 
long-integer 


Exceptions: |, P 


Operand Word ; Code 
Transfers Bytes 


Exceptions: |, D, O, P 


Coding Example 


FISTP [BX].ALPHA_COUNT [SI] 
FISTP CORRECTED_TIME 
FISTP PANEL.N_READINGS. 


mm rh 
RAL 


FISUB source 
Integer subtract 


Execution Clocks 


Operands 


Operand Word | Code 
Transfers 


Coding Example 


word-integer 120 102-137 1 2-4 | FISUB BASE_FREQUENCY 
short-integer 125 108-143 2 2-4 |FISUB TRAIN_SIZE [DI]. . 


FISUBR FISUBR source 


Integer subtract reversed Exceptions: |, D, O, P 


Execution Clocks 


Trane | Tans Word | Code 


Transfers Coding Example 


Operands 
| Typical | | Range | 


word-integer 120 103-139 FISUBR FLOOR [BX] [SI] 
short-integer 125 109-144 | FISUBR BALANCE 
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Table 2-14. Instruction Set Reference Data (Cont’d.) 


FLD source 


Load real Exceptions: |, D 


Execution Clocks 


Operands 
ST(i) 


short-real 
long-real 
temp-real 


Operand Word | Code 


Transfers Coding Example 


FLD ST(0) 
FLD READING [SI].PRESSURE 
FLD [BP].TEMPERATURE 

FLD SAVEREADING 


FLDCW source 
Load control word 


Fxecution Clocks 


| Typical } Range 


Exceptions: None 


renee | Te Word | Code 


Transtere Coding Example 


Operands 


wm» Lom |__| free conan 


FLDENV FLDENV source 


Load environment 


| Typical | Range 
FLDLG2 FLDLG2 (no operands) 
Load log;o2 
| 


Execution Clocks 
| Typical | Range 

cme [= [wm [@ [ane 

FLDLN2 FLDLN2 (no operands) 
Load log.2 


| Typical | | Range 
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Exceptions: None 


renee tans Word | Code 
Transfers 


megs Example 


Exceptions: | 


renee tame Word | Code 
Transfers 


Coding Example 


Exceptions: | 


ame | Word | Code 
Transfers 


cones Example 
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Table 2-14. Instruction Set Reference Data (Cont’d.) 


FLDL2E FLDL2E (no operands) 


Load logse Exceptions: | 


Execution Clocks 


ange | T= Word | Code 
Transfers 


Operands Coding Example 


| Typical | Range 


feos |» [we |e [= [ame 


FLDL2T FLDL2T (no operands) 


Load logo10 Exceptions: | 


Execution Clocks 
ange | Tn Word | Code : 
Operands Teansters Bytes Coding Example 
| Typical | | Range 


FLDPI FLDPI (no operands) 


Load 7 


Execution Clocks 
| Typical | Range 

FLDZ (no operands 
Load tee Exceptions: | 


Exceptions: | 


ange | Tn Word | Code 
Transfers 


Coding Example 


Execution Clocks 


Operand Word | Code 
Transfers 


Operands Coding Example 


Typical Range 


FLD1 (no operands 
Load vee Exceptions: | 


Execution Clocks 


Operand Word | Code 
Transfers 


Operands — Coding Example 
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Table 2-14. Instruction Set Reference Data (Cont’d.) 


FMUL //source/destination,source 


Multiply real» Exceptions: : D, O, U, P 


Execution Clocks © 


| Operand Word | Code 


90-105 
130-145 
110-125 
112-126 
154-168 


Operands. Coding Example 


| FMUL ST,ST(3)_- 
FMUL ST,ST(3) | 
FMUL SPEED_FACTOR. 

FMUL [BP].HEIGHT 
FMUL [BP].HEIGHT 


//ST(i), ST/ST,ST(i)! - 
[/ST(i), ST/ST, ST(i) 
short-real 
long-real! 
long-real 


FMULP destination, source . 


Multiply real and pop Exceptions: |, D,O, U, P — 


Execution Clocks 


renoe J Trae Word | Code 


Transfers coding Example 


_ Operands 


| Typical | Range | 


| i), ST1 100 94-108 FMULP ST(1 
ST 142 134-148 FMULP at 


FNOP ( no ee 
No a 


Exceptions: None 


Execution Clocks ! ’ 
a . Operand Word | Code 


Trancters Coding Example 


Operands _ 


Typical Range 


FPATAN FPATAN (no operands) 


Partial arctangent - Exceptions: U, P (operands not checked) 


Execution Clocks 


Operand Word | Code > 
Transters 


eons Example 


Operands | — 


FPREM (no sparands) 


Partial remainder Exceptions: | D, U 


Execution Clocks 
. a _.| Operand Word | Code 
Transfers 


; Operands Coding Example 


Typical mange 


1Occurs when one or both operands is “short '—it has 40 trailing zeros in its fraction (e. g., it was loaded 
om a pene real memory operand. 
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Table 2-14. Instruction Set Reference Data (Cont’d.) 


FPTAN (no operands) 
Partial tangent 


Execution Clocks 
Operands 


FRNDINT FRNDINT (no operands) 
Round to integer 


Operands 


FRSTOR FRSTOR source 
Restore saved state 


Execution Clocks 
Operands Operand Word | Code 
F : Transfers Bytes 
Typical Range 


FSAVE/FNSAVE FSAVE/FNSAVE destination 
Save state 


Execution Clocks 
Operands Operand Word | Code Coding Example 
: Transfers 
Typical Range 


The 80287 execution clock count for this instruction is not meaningful in determining overall instruction 
execution time. For typical frequency ratios of the 80286 and 80287 clocks, 80287 execution occurs in 
parallel with the operand transfers, with the operand transfers determining the overall execution time of 
the instruction. For 80286:80287 clock frequency ratios of 4:8, 1:1, and 8:5, the overall execution clock 
count for this instruction is estimated at 490, 302, and 227 80287 clocks, respectively. | 


Exceptions: |, P (operands not checked) 


Code 
Bytes 


Operand Word 
Transfers 


Coding Example 


Exceptions: |, P 


Code 
Bytes 


Operand Word 
Transfers 


Coding Example 


Exceptions: None 


Coding Example 


Exceptions: None 


3The 80287 execution clock count for this instruction is not meaningful in determining overall instruction 
execution time. For typical frequency rations of the 80286 and 80287 clocks, 80287 execution occurs in 
parallel with the operand transfers, with the operand transfers determining the overall execution time of . 
the instruction. For 80286:80287 clock frequency ratios of 4:8, 1:1, and 8:5, the overall execution clock. 
count for this instruction is estimated at 376, 233, and 174 80287 clocks, respectively. | | 
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Table 2-14. Instruction Set Reference Data (Cont’d.) 


FSCALE FSCALE (no operands) 


neoale Exceptions: |, O, U 


Execution Clocks 


Operand Word Code 
| Transfers 


Operands Coding Example 


Typical Range 


es [fe [rm 


FSETPM FSETPM (no operands) 
Set protected. mode 


Exceptions: None 


Execution Clocks 


Operand Word | Code 
Transfers 


Operands Coding Example 


Typical Range 


FSQRT (no operands) 
Square root 


Exceptions: |, D, P 


Execution Clocks 


Operand Word | Code 
Transfers 


Operands Coding Peat 


Typical Range 


poms fw [wm] oY fr 


FST destination 


Store real _ Exceptions: |, O, U, P 


Execution Clocks 


Operands 
| ST(i) 


short-real 
long-real 


Operand Word 
Transfers 


Coding Example 


FST ST(3) 
FST CORRELATION [DI] 
FST MEAN_READING 


FSTCW/ FSTCW destination | E tlons: N 
FNSTCW Store control word ACEP HONS NONE: 


| Execution Clocks 


Operand Word. 
Transfers 


Operands Coding Example 
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Table 2-14. Instruction Set Reference Data (Cont’d.) 


FSTENV/ FSTENV destination E Hones N 
FNSTENV Store environment sh 


Execution Clocks 
range Tans Word | Code 
Transfers 


Operands Coding Example 


| Typical | | Range | 


FSTP destination 
Store real and pop 


Exceptions: |, O, U,P 


Execution Clocks 


Operands 
ST(i) 


short-real 
long-real 
temp-real 


Operand Word 


Tanners Coding Example 


FSTP ST(2) 
FSTP [BX].ADJUSTED_RPM 
FSTP TOTAL_DOSAGE 

FSTP REG_SAVE [SI] 


FSTSW/ FSTSW destination E acre: N 
FNSTSW Store status word : ACE Puonss mone 


Execution Clocks 
Operands 


| Typical | | Range 
2-bytes foe | 12-18 po | ta FSTSW SAVE_STATUS 


FSTSW AX/ FSTSW AX 
FNSTSWAX Store status word to AX 


range | ane Word 
Transfers 


Coding Example 


Exceptions: None 


Execution Clocks 


Operand Word | Code 


Operands Transfers 


Coding Example 
| Typical | Range 


mL Lee [oe fe 


FSUB FSUB //source/destination,source 
| Subtract real 


Execution Clocks 
Operands 


//ST, ST(i) (i) /ST(i), 
short-real ice 
long-real 110 


Exceptions: |, D, O, U, P 


Operand Word | Code 
Transfers 


Coding Example 


FSUB ST,ST(2) 
-FSUB BASE_VALUE 
FSUB COORDINATE.X 
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Table 2-14. Instruction Set Reference Data (Cont’d.) 


FSUBP destination, Source 


Exceptions: |, D, O, U, P 


Subtract real and pop 


Execution Clocks 
Operands . Operand Word | Code 
| Typical Transfers Bytes 


FSUBR FSUBR //source/destination, source 
Subtract real reversed 


Execution Clocks 
Operands 


[/ST,ST(i)/ST(i),ST | 87 
short-real 105 
long-real | 110 


Coding Example 


Exceptions: |, D, O, U, P 


Operand Word 
Transfers 


Coding Example 


FSUBR ST,ST(1) 
FSUBR VECTOR{(SI] 
FSUBR [BX].INDEX 


FSUBRP FSUBRP destination, source 


Subtract real reversed and pop Exceptions: |, D, O, U, P 


Code 
Bytes 


Execution Clocks 


Operands 


Operand Word 


Teanstare Coding Example 


FTST (no operands) 
Test stack top against +0.0 


Execution Clocks | 
Operands 


_ Exceptions: |, D 


Operand Word | Code 


Transfers Bytes voding Example 


FWAIT FWAIT (no operands | 
(CPU) ve Ale ie is busy Exceptions: None (CPU instruction) 


Execution Clocks 


Operands 


Operand Word | Code 


Transfers Bytes Coding Exampie 


4n = number of times CPU examines BUSY line before 80287 completes execution of previous instruction. 
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Table 2-14. Instruction Set Reference Data (Cont’d.) 


FXAM (no operands) 


Examine stack top Exceptions: None 


Execution Clocks 


range | Tm® Word | Code 
Transfers 


Operands Coding Example 


| Typical | | Range 


FXCH //destination ; 
Exchange registers Exceptions: | 


‘Execution Clocks 


‘Operands 
Typical | Range 


aaree | a Word | Code 
Transfers 


Coding Example 


FXTRACT FXTRACT (no operands) 


Extract aa and significant 


| Typical ) Range 
FYL2X (no operands 
Ye oe ’ ) Exceptions: P (operands not checked) 


Exceptions: | 


ange | T= Word | Code 
Transfers 


Coding Example 


Execution Clocks 


ange | T= Word | Code 
Transfers 


Operands Coding Example 


| Typical | Range 


FYL2XP1 FYL2XP1 (no operands 
Ye ae id Exceptions: P (operands not checked) 


Execution Clocks 


ange | T= Word | Code 
Transfers 


Operands Coding Fane 


| Typical | Range 
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Table 2-14. Instruction Set Reference Data (Cont’d.) 


Recap ino“oPperanas) Exceptions: U, P (operands not checked) 


Execution Clocks | 
Operand Word | Code 


Transfers 


Operands Coding Example 


Typical Range 


PROGRAMMING FACILITIES 


As described previously, the 80287 NPX is programmed simply as an extension of the 80286 CPU. 
This section describes how programmers in ASM286 and in a vey of higher-level languages can 
work with the 80287. 


The level of detail in this section is intended to give programmers a basic understanding of the software 
tools that can be used with the 80287, but this information does not document the full capabilities of 
these facilities. For a complete list of documentation on all the languages available for iAPX 286 
systems, readers should consult Intel’s Literature Guide. : 


High-Level Languages 


For programmers using high-level languages, the programming and operation of the NPX is handled 
automatically by the compiler. A variety of Intel high-level languages are available that automatically 
make use of the 80287 NPX when appropriate. These languages include 


PL/M-286 
FORTRAN-286 
PASCAL-286 
C-286 


Each of these high-level languages has special numeric libraries allowing programs to take advantage 
of the capabilities of the 80287 NPX. No special programming conventions are necessary to make use 
of the 80287 NPX when programming numeric applications in any of these languages. 


Programmers in PL/M-286 and ASM286 can also make use of many of these library routines by using 
routines contained in the 80287 Support Library, described in the 80287 Support Library Reference 
Manual, Order Number 122129. These library routines provide many of the functions provided by 
higher-level languages, including exception handlers, ASCII-to-floating-point conversions, and a more 
complete set of transcendental functions than that provided by the 80287 instruction set. 


PL/M-286 


Programmers in PL/M-286 can access a very useful subset of the 80287’s numeric capabilities. The 
PL/M-286 REAL data type corresponds to the NPX’s short real (32-bit) format. This data type provides 
a range of about 8.43*10°-*” < ABS(X) S 3.38*10°, with about seven significant decimal digits. This 
representation is adequate for the data manipulated by many microcomputer applications. 
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The utility of the REAL data type is extended by the PL/M-286 compiler’s practice of holding inter- 
mediate results in the 80287’s temporary real format. This means that the full range and precision of 
the processor are utilized for intermediate results. Underflow, overflow, and rounding errors are most 
likely to occur during intermediate computations rather than during calculation of an expression’s final 
result. Holding intermediate results in temporary real format greatly reduces the likelihood of overflow 
and underflow and eliminates roundoff as a serious source of error until the final assignment of the 
result is performed. 


The compiler generates 80287 code to evaluate expressions that contain REAL data types, whether 
variables or constants or both. This means that addition, subtraction, multiplication, division, compar- 
ison, and assignment of REALs will be performed by the NPX. INTEGER expressions, on the other 
hand, are evaluated on the CPU. 


Five built-in procedures (table 2-15) give the PL/M-286 programmer access to 80287 functions manip- 
ulated by the processor control instructions. Prior to any arithmetic operations, a typical PL/M-286 
program will set up the NPX after power up using the INIT$REALSMATHSUNIT procedure and 
then issue SETS$REALSMODE to configure the NPX. SETS$SREALSMODE loads the 80287 control 
word, and its 16-bit parameter has the format shown in figure 1-5. The recommended value of this 
parameter is 033EH (projective closure, round to nearest, 64-bit precision, all exceptions masked except 
invalid operation). Other settings may be used at the programmer’s discretion. 


If any exceptions are unmasked, an exception handler must be provided in the form of an interrupt 
procedure that is designated to be invoked by CPU interrupt pointer (vector) number 16. The excep- 
tion handler can use the GET$REALSERROR procedure to obtain the low-order byte of the 80287 
status word and to then clear the exception flags. The byte returned by GETS$SREALSERROR contains 
the exception flags; these can be examined to determine the source of the exception. 


The SAVESREALSSTATUS and RESTORE$REALSSTATUS procedures are provided for multi- 
tasking environments where a running task that uses the 80287 may be preempted by another task that 
also uses the 80287. It is the responsibility of the preempting task to issue SAVESREALS$STATUS 
before it executes any statements that affect the 80287; these include the INIT$SREALSMATHS$UNIT 
and SET$REALSMODE procedures as well as arithmetic expressions. SAVES$REAL$STATUS saves 
the 80287 state (registers, status, and control words, etc.) on the CPU’s stack. 
RESTORE$REALSSTATUS reloads the state information; the preempting task must invoke this 
procedure before terminating in order to restore the 80287 to its state at the time the running task was 
preempted. This enables the preempted task to resume execution from the point of its preemption. 


Table 2-15. PL/M-286 Built-In Procedures 


INITSREALSMATH$SUNIT® FINIT Initialize processor. 


SET$REAL$MODE FLDCW Set exception masks, rounding 
7 precision, and infinity controls. 


GET$REAL$ERROR® FNSTSW & FNCLEX Store, then clear, exception flags. 


SAVE$REAL$STATUS FNSAVE Save processor state. 
RESTORE$REAL$STATUS FRSTOR Restore processor state. 


MAIso initializes interrupt pointers for emulation. 
“Returns low-order byte of status word. 
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ASM286 


The ASM286 assembly language provides programmimers witht 1 complete access to all of the facilities 
of the 80286 and 80287 processors. 


The | programmer’s view of the iAPX 286/20 hardware is a Bia with these resources: 


¢ 160 instructions 

© 12° datatypes — 

¢ §8 general registers 
e 4 segment registers 


¢ 8 floating-point registers, organized as a stack 


DEFINING DATA 


The ASM286 directives shown in table 2- 16 allocate storage for 80287 variables and constants. As 
with other storage allocation directives, the assembler associates a type with any variable defined with 
these directives. The type value is equal to the length of the storage unit in bytes (10 for DT, 8 for 
DQ, etc.). The assembler checks the type of any variable coded in an instruction to be certain that it 
is compatible with the instruction. For example, the coding FIADD ALPHA will be flagged as an 
error if ALPHA’s type is not 2 or 4, because integer addition is only available for word and short 
integer data types. The operand’s type also tells the assembler which machine instruction to produce, 
although to the programmer there is. only an FIADD instruction, a different machine instruction is 
required for each operand type. 


On occasion it is desirable to use an instruction with an operand that has no declared type. For example, 
if register BX points to a short integer variable, a programmer may want to code FIADD [BX]. This 
can be done by informing the assembler of the operand’s type in the instruction, coding FFADD DWORD 
PTR [BX]. The corresponding overrides for the other storage allocations are WORD PTR, eee 
PTR, and TBYTE PTR. 


The assembler does not, however, check the types of operands used in processor Sitiel instructions. 
Coding FRSTOR [BP] implies that the programmer has set up register BP to point to the stack location 
where the processor’s 94-byte state record has been previously saved. 


The initial values for 80287 constants may be coded in several different ways. Binary integer constants 
may be specified as bit strings, decimal integers, octal integers, or hexadecimal strings. Packed decimal 
values are normally written as decimal integers, although the assembler will accept and convert other 
representations of integers. Real values may be written as ordinary decimal real numbers (decimal 
point required), as decimal numbers in scientific notation, or as hexadecimal strings. Using hexadecimal 
strings is primarily intended for defining special values such as infinities, NaNs, and nonnormalized 


Table 2-16. 80287 Storage Allocation Directives 


Interpretation Data Types | | 


Define Word Word integer _ 


Define Doubleword Short integer, short real 
Define Quadword Long integer, long real 
Define Tenbyte | Packed decimal, temporary real 
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numbers. Most programmers will find that ordinary decimal and scientific decimal provide the simplest 
way to initialize 80287 constants. Figure 2-3 compares several ways of setting the various 80287 data 
types to the same initial value. 


Note that preceding 80287 variables and constants with the ASM286 EVEN directive ensures that the 
operands will be word-aligned in memory. This will produce the best system performance. All 80287 
data types occupy integral numbers of words so that no storage is “wasted” if blocks of variables are 
defined together and preceded by a single EVEN declarative. 


RECORDS AND STRUCTURES 


The ASM286 RECORD and STRUC (structure) declaratives can be very useful in NPX program- 
ming. The record facility can be used to define the bit fields of the control, status, and tag words. 
Figure 2-4 shows one definition of the status word and how it might be used in a routine that polls the 
80287 until it has completed an instruction. 


Because STRUCtures allow different but related data types to be grouped together, they often provide 
a natural way to represent “real world” data organizations. The fact that the structure template may 
be “moved” about in memory adds to its flexibility. Figure 2-5 shows a simple structure that might be 
used to represent data consisting of a series of test score samples. A structure could also be used to 
define the organization of the information stored and loaded by the FSTENV and FLDENYV instructions. 


ADDRESSING MODES 


80287 memory data can be accessed with any of the CPU’s five memory addressing modes. This means 
that 80287 data types can be incorporated in data aggregates ranging from simple to complex accord- 
ing to the needs of the application. The addressing modes, and the ASM286 notation used to specify 
them in instructions, make the accessing of structures, arrays, arrays of structures, and other organi- 
zations direct and straightforward. Table 2-17 gives several examples of 80287 instructions coded with 
operands that illustrate different addressing modes. 


; THE FOLLOWING ALL ALLOCATE THE CONSTANT: -126 
; NOTE TWO’S COMPLETE STORAGE OF NEGATIVE BINARY INTEGERS. 


* EVEN 
WORD_INTEGER DW 1111111110000108B 
SHORT_INTEGER DD OFFFFFF82H 


; FORCE WORD ALIGNMENT 
: BIT STRING 
; HEX STRING MUST START 
; WITH DIGIT 
LONG_INTEGER DQ -126 ; 
SHORT_REAL DD -126.0 ; 
LONG_REAL DD -1.26E2 ; 
PACKED_DECIMAL DT -126 ; 
IN THE FOLLOWING, SIGN AND EXPONENT IS ‘cCOO0S’ 
SIGNIFICAND IS *7E00...00%, *R*’ INFORMS ASSEMBLER THAT 
THE STRING REPRESENTS A REAL DATA TYPE. 


ORDINARY DECIMAL 

NOTE PRESENCE OF 
"SCIENTIFIC" 

ORDINARY DECIMAL INTEGER 


i 
i 
TEMP_REAL DT OCOO0S7TEDDOO0000000000R 3; HEX STRING 


Figure 2-3. Sample 80287 Constants 
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y RESERVE SPACE FOR STATUS WORD 

STATUS_WORD 

; LAY QUT STATUS WORD FIELDS 

STATUS RECORD 

t BUSY: 
COND_CODE3: 


& 
& STACK_TOP: 
& COND_CODEe: 
& COND _CODE1: 
& COND_CODEO: 
& INT_REQ: 
4 RESERVED: . 
& P_FLAG: 
& U_FLAG: 
& O_FLAG: 
& 2_FLAG: 
& D_FLAG: 
& ieheok He Ges | 
; POLL STATUS WORD UNTIL 80287 15 NOT BUSY 
cos 1 ee Rea FNSTSW STATUS_WORD | 

TEST | STATUS_-WORD, MASK_BUSY 

JNZ POLL 


? 
? 
? 
? 
? 
? 
? 
? 
? 
? 
? 
? 
? 


ee ee ee ee ee aa © © me ae 


Figure 2-4. Status Word RECORD Definition 


SAMPLE STRUC 


SHORT INTEGER 
LONG REAL 


N_OBS | 7 3 
MEAN 7 3 | 
MODE 2 +; WORD INTEGER 
STD_DEV 2 + LONG REAL 
; ARRAY OF OBSERVATIONS --- WORD INTEGER 
TEST_SCORES DW 1000 DUP (?) 
SAMPLE ENDS | 


Figure 2-5. Structure Definition 


Table 2-17. Addressing Mode Examples 


ALPHA ALPHA is a simple scalar (mode is direct). 


ALPHA.BETA BETA is a field in a structure that is 
| | “overlaid” on ALPHA (mode is direct). 


QWORD PTR [BX] | BX contains the address of a long real 


variable (mode is register indirect). 


ALPHA [SI] . ALPHA is an array and SI contains the 
offset of an array element from the start of 
the array (mode is indexed). 
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Table 2-17. Addressing Mode Examples (Cont’d.) 


[BP].BETA BP contains the address of a structure on 
the CPU stack and BETA is a field in the 


structure (mode is based). 

TBYTE PTR [BX] [Dl] BX contains the address of a packed 
decimal array and DI contains the offset of 
an array element (mode is based indexed). 


Comparative Programming Example 


Figures 2-6 and 2-7 show the PL/M-286 and ASM286 code for a simple 80287 program, called 
ARRSUM. The program references an array (X$ARRAY), which contains 0-100 short real values; 
the integer variable NSOF$X indicates the number of array elements the program is to consider. 
ARRSUM steps through X$ARRAY accumulating three sums: 


¢ SUMS$X, the sum of the array values 


e SUMS$INDEXES, the sum of each array value times its index, where the index of the first element 
is 1, the second is 2, etc. 


e SUMS$SQUARES, the sum of each array element squared 


(A true program, of course, would go beyond these steps to store and use the results of these calcula- 
tions.) The control word is set with the recommended values: projective closure, round to nearest, 
64-bit precision, interrupts enabled, and all exceptions masked invalid operation. It is assumed that an 
exception handler has been written to field the invalid operation, if it occurs, and that it is invoked by 
interrupt pointer 16. Either version of the program will run on an actual or an emulated 80287 without 
altering the code shown. 


The PL/M-286 version of ARRSUM (figure 2-6) is very straightforward and illustrates how easily the - 
80287 can be used in this language. After declaring variables the program calls built-in procedures to 
initialize the processor (or its emulator) and to load to the control word. The program clears the sum 
variables and then steps through X$ARRAY with a DO-loop. The loop control takes into account 
PL/M-286’s practice of considering the index of the first element of an array to be 0. In the compu- 
tation of SUM$INDEXES, the built-in procedure FLOAT converts I+ 1 from integer to real because 
the language does not support “mixed mode” arithmetic. One of the strengths of the NPX, of course, 
is that it does support arithmetic on mixed data types (because all values are converted internally to 
the 80-bit temporary real format). 


The ASM286 version (figure 2-7) defines the external procedure INIT287, which makes the different 
initialization requirements of the processor and its emulator transparent to the source code. After defining 
the data and setting up the segment registers and stack pointer, the program calls INIT287 and loads 
the control word. The computation begins with the next three instructions, which clear three registers 
by loading (pushing) zeros onto the stack. As shown in figure 2-8, these registers remain at the bottom 
of the stack throughout the computation while temporary values are pushed on and popped off the 
stack above them. 


The program uses the CPU LOOP instruction to control its iteration through X_ARRAY;; register CX, 
which LOOP automatically decrements, is loaded with N_OF_X, the number of array elements to be 
summed. Register SI is used to select (index) the array elements. The program steps through X_ARRAY 
from back to front, so SI is initialized to point at the element just beyond the first element to be 
processed. The ASM286 TYPE operator is used to determine the number of bytes in each array element. 
This permits changing X_ARRAY toa ones real array by simply changing its definition (DD to DQ) 
and reassembling. 
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PL/M-286 COMPILER ARRAYSUM 


SERIES-I1I PL/M-286 Vi.G COMPILATION OF MODULE ARRAYSUM 
OBJECT MODULE PLACED IN :F6:D. OBV 
COMPILER INVOKED BY: PLM286. 86 :F6:D. SRC XREF 


SL RKERKERAKRKEHKKRHHEHHAHHRHHHKHHHRHAKERHKRHREHHHHRHRHRHKHEE 


# cs 
# ARRAY SUM MOD + 
+ # 


HRPHAKHHHHRHEHHAHHHERHAHHRH AER HR HERE ERH HAH HEH/ 
1 array$sum: doi 


declare (sum#x, sumPindexes, sum#squares) real; 
declare x#array(100) real: 

declare (n#of$x,i) integer; 

declare control¢287 literally ‘O33eh’; 


on GP 
ee ee 


/*® Assume x#array and ntoftx are initialized */ 
/* Prepare the G0287 of its emulator #/ 

& 1 call init#realtmath$unit; 

7 1 call set#realtmode(control$287)i 


/*# Clear sums */ 
& 1 sum$x, sum$indexes. sum$squares = O. Oj 


7* Loop through array, accumulating sums #/ 


9 1 do i = 0 to n#of$x-1i 
10 2 sum$x = sum$x + xS$array(ij; 
11 2 sum$indexes = sum$indexes + 
(x$array(id * Ffloat(itid); 
12 2 sum#squares = sum$squares + (x#arraylid#xtarray(i))i 
13 2 end; , 
/*# etc. #*/ 
14 1 end array¢sum, 
PL/M-286 COMPILER ARRAYSUM 


CROSS-REFERENCE LISTING 


BEFN ADDR SIZE NAME, ATTRIBUTES, AND REFERENCES 


oe me eee eee ee te ee oe pe ete meee cat oe Oe ee eee Heel ie ey mee Re ae ie Se ne be oe on ee ee en ee oe ame ee 


1 O006H 117 ARRAYSUM. 2. 7 wl, PROCEDURE STACK=0002H 
5 CONTROL2@87 2. 0. 2. 1... LITERALLY ‘O3deh’ 


; FLOAT 2. feat 28 ob i a4 BUILTIN 1i 
4 O19EH Be dh ee SE ais Sie i Me Be whe! Bk INTEGER 5 OH 
-INITREALMATHUNIT 2... BUILTIN & 
4° O19CH .@ NOFX. . . . . . INTEGER 9 
SETREALMODE. . . . . . BUILTIN 7 
@ O004H 4 SUMINDEXES ..... . REAL. > Be 11 
@ OOO8H 4 SUMSGUARES . . . . . . REAL B# 12 
& OOOGH 4 SUMK . 2... REAL. Bit 10 
3 O0CCH 40Q0 XARRAY . . . . . REAL ARRAY (100) 
MODULE INFORMATION: 
CODE AREA SIZE = O077H 119D 
CONSTANT AREA STZE = OCO4H 4D 
VARIABLE AREA SIZE = O1A0H 416D 
MAXIMUM STACK SIZE = O002H 2D 


_ 33 LINES READ 

O PROGRAM WARNINGS 

O PROGRAM ERRORS 
DICTIONARY SUMMARY: 

Sé6KRB MEMORY AVAILABLE 

SKB MEMORY USED (3%) 

OKB DISK SPACE USED 


END OF PL/M-286 COMPILATION 


Figure 2-6. Sample PL/M-286 Program 
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intel" 


iAPX286 MACRO ASSEMBLER 


SERIES-ITI 


PROGRAMMING NUMERIC APPLICATIONS 


EXAMPLE _ASM286_PROGRAM 


1APX286 MACRO ASSEMBLER X108 ASSEMBLY OF MODULE EXAMPLE_ASM286_PROGRAM 


OBJECT MODULE PLACED IN :F6: 287EXP. OBJ 


ASSEMBLER INVOKED BY: 


LOC 


ee me ee 


CO00 
OOCe Y's : 
0004 


ORJ 


9A0000---- 


D92E0000 


D9EE 
DIEE 
DIEE 


8BOEO200 
F7E9 


2 8YFO 


S83EE04 
BDI840400 
DCC3 
D9CO 
DCCs 
DEC2 


FFOQEO200 
E2EB 


DI1E9401 
DI1E9801 
DILE9COI 
9B 


LINE 


OGNOWEOMeH 


ASM286. 86 :F6: 287EXP. SRC XREF 


SOURCE 


name example_ASM286_program 
i Define initialization routine 
extrn init287: far 


i Allocate space for data 
data segment rw public 
control 287 O33eh 
n_of_x ? 


x_ array 100 dup (7?) 


sum_ squares 
sum_indexes 
sum_x 

data ends 


i Allocate CPU stack space 
stack stackseg 400 


> Begin code 
code segment er public 
assume ds: data, ss: stack, es: nothing 
start: 
mov ax, data 
mov ds, ax 
mav ax, stack 
mov $$, ax 


mov sp, stackstart stack 


Assume x_array and n_of_x are initialized 
this pprogram zeroes n_of_x 


Prepare the 80287 or its emulator. 


call 
fldcw 


Clear three 
Ffldz 
Fldz 
Fldz 


CX as 
index 
mov 
imul 
MoV 


i SI now conta 


i Loop thru x_. 


sum next: 


sub 
fld 
fadd 
fld 
fmul 
faddp 


dec 
loop 


i Pop running 

pop_results: 
fstp 
fstp 
fstp 
fwait 


init287 
control 287 


registers to hold running sums 


loop counter and 
to x array 
cx,n_of_x 
cx 
$i, ax 


ins index of last element + .1 
array, accumulating sums 


si, type x_array ibackup one element 

x _arraylsil ipush it on the stack 

st(3),st sadd into sum of x 

st iduplicate x on top 

st, st ssquare it 

st(2),st tjadd into sum of (indextx) 
i and discard 

n_of_x i 

sum next i continue 

sums into memory 


suM_squares 
sum_indexes 
sum_x 


Figure 2-7. Sample ASM286 Program 
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iAPX286 MACRO ASSEMBLER EXAMPLE_ASM286_FPROGRAM 


XREF SYMBOL TABLE LISTING 


VALUE ATTRIBUTES, XREFS 


SEGMENT SIZE=0046H ER PUBLIC 19# 69 
CONTROL_287 V WORD COOOH DATA 7# 33 
DATA. . . . , SEGMENT SIZE=O1A0OH RW PUBLIC 6# 13 20 22 
INIT287 .. L FAR OOOOH EXTRN 3# 32 
N_OF_X. . . V WORD 0002H DATA B8H# 42 56 
POP_RESULTS L NEAR OO39H CODE 460# 
STACK . . . STACK SIZE=0190H RW PUBLIC 16# 20 24 26 
START . . .. Lo NEAR OOOOH CODE 21# 70 
SUM_INDEXES V DWORD O198H DATA 11% 62 
SUM_NEXT. . Lo NEAR 0024H CODE 48# 57 
SUM_SQUARES V DWORD 0194H DATA 10# 61 
SUM_X . . . VY DWORD O19CH DATA 12% 63 
X_ARRAY . . V DWORD OO04H (100) DATA 9# 49 50 


END OF SYMBOL TABLE LISTING 


ASSEMBLY COMPLETE, NO ERRORS 


‘Figure 2-7. Sample ASM286 Program (Cont’d.) 


FLDZ,FLDZ,FLDZ FLD X_ARRAYCST] 


SUM__SQUARES ST(0) X.__ARRAY (19) 
SUM_ INDEXES ST(1) SUM_SQUARES 
SUM_X ST(2) ) SUM_INDEXES ~ 


ST(3) SUM_X 


— 
—_— 


es a ee) a , 
X__ARRAY (19) ST(0) X__ARRAY (19) 
SUM_SQUARES ~— ST(1) X__ARRAY (19) 
SUM_INDEXES ST(2) 1 SUM__SQUARES 
| SUM_X ST(3) SUM_INDEXES 


ST(4) SUM_X 


—_ 


FMUL ST,ST ae _— 


p65 X__ARRAY(19)2 ST(0) X__ARRAY(19) 


X__ARRAY(19) ST(1) | SUM__SQUARES 


7 SUM_SQUARES ST(2) SUM_INDEXES 


SUM_INDEXES ST(3) | 1 sum_x 


SUM_X _ 


_ 
— . 
FADDP ST(2),ST 


X_ARRAY(19)*20 ST(0) i SUM__SQUARES 
SUM_ SQUARES ST(1) SUM_INDEXES 
SUM_INDEXES ST(2) § SUM_X 
SUWvi_X 


122164-14 


Figure 2-8. Instructions and Register Stack 
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Figure 2-8 shows the effect of the instructions in the program loop on the NPX register stack. The 
figure assumes that the program is in its first iteration, that N_OF_X is 20, and that X_ARRAY(19) 
(the 20th element) contains the value 2.5. When the loop terminates, the three sums are left as the top 
stack elements so that the program ends by simply popping them into memory variables. 


80287 Emulation 


The programming of applications to execute on both iAPX 286/10 and iAPX 286/20 systems is made 
much easier by the existence of an 80287 emulator for iAPX 286/10 systems. The Intel E80287 emulator 
offers a complete software counterpart to the 80287 hardware; NPX instructions can be simply emulated 
in software rather than being executed in hardware. With software emulation, the distinction between 
iAPX 286/10 and iAPX 286/20 systems is reduced to a simple performance differential. Identical 
numeric programs will simply execute more slowly on iAPX 286/10 systems (using software emulation 
of NPX instructions) than on iAPX 286/20 systems (executing NPX instructions directly). 


When incorporated into the systems software, the emulation of NPX instructions on iAPX 286/10 
systems is completely transparent to the programmer. Applications software needs no special libraries, 
linking, or other activity to allow it to run on an iAPX 286/10 with 80287 emulation. 


To the applications programmer, the development of programs for 1APX 286 systems is the same 
whether the 80287 NPX hardware is available or not. The full iAPX 286/20 instruction set is available 
for use, with NPX instructions being either emulated or executed directly. Applications programmers 
need not be concerned with the hardware configuration of the computer systems on which their appli- 
cations will eventually run. 


For systems programmers, details relating to 80287 emulators are described in a later section of this 
supplement. An E80287 software emulator for iAPX 286/10 systems is contained in the iMDX 364 
8086 Software Toolbox, available from Intel and described in the 8086 Software Toolbox Manual. 


CONCURRENT PROCESSING WITH THE 80287 


Because the 80286 CPU and the 80287 NPX have separate execution units, it is possible for the NPX 
to execute numeric instructions in parallel with instructions executed by the CPU. This simultaneous 
execution of different instructions is called concurrency. 


No special programming techniques are required to gain the advantages of concurrent execution; numeric 
instructions for the NPX are simply placed in line with the instructions for the CPU. CPU and numeric 
instructions are initiated in the same order as they are encountered by the CPU in its instruction 
stream. However, because numeric operations performed by the NPX gencrally require more time than 
Operations performed by the CPU, the CPU can often execute several of its instructions before the 
NPX completes a numeric instruction previously initiated. 


This concurrency offers obvious advantages in terms of execution performance, but concurrency also 
imposes several rules that must be observed in order to assure proper synchronization of the 80286 
CPU and 80287 NPX. 


All Intel high-level languages automatically provide for and manage concurrency in the NPX. 
Assembly-language programmers, however, must understand and manage some areas of concurrency 
in exchange for the flexibility and performance of programming in assembly language. This section is 
for the assembly-language programmer or well-informed high-level-language programmer. 
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Managing Concurrency 


Concurrent execution of the host and 80287 is easy to establish and maintain. The activities of numeric 
programs can be split into two major areas: program control and arithmetic. The program control part 
performs activities such as deciding what functions to perform, calculating addresses of numeric 
operands, and loop control. The arithmetic part simply adds, subtracts, multiplies, and performs other 
operations on the numeric operands. The NPX and host are designed to handle these two parts separately 
and efficiently. 


Managing concurrency is necessary because both the arithmetic and control areas must converge to a 
well-defined state before starting another numeric operation. A well-defined state means all previous 
arithmetic and control operations are complete and valid. 


Normally, the host waits for the 80287 to finish the current numeric operation before starting another. 
This waiting iS called synchronization. 


Managing concurrent execution of the 80287 involves three types of synchronization: 


he 3 Instruction synchronization | 
2. Data synchronization 


3. Error synchronization 


For: programmers in higher-level languages, all three types of synchronization are automatically provided 
by the appropriate compiler. For assembly-language programmers, instruction synchronization is 
guaranteed by the NPX interface, but data and error synchronization are the responsibility of the 
assembly-language programmer. 


Instruction Synchronization _ 


Instruction synchronization is required because the 80287 can perform only one numeric operation at 
a time. Before any numeric operation is started, the 80287 must have completed all activity from its 
previous instruction. 


Instruction ee is guaranteed for most ESC instructions because the 80286 automatically 
checks the BUSY status line from the 80287 before commencing execution of most ESC instructions. 
No explicit WAIT instructions are necessary to ensure proper instruction synchronization. 


Data Synchronization 


Data synchronization addresses the issue of both the CPU and the NPX referencing the same memory 
values within a given block of code. Synchronization ensures that these two processors access the memory 
operands in the proper sequence, just as they would be accessed by a single processor with no concur- 
rency. Data synchronization is not a concern when the CPU and NPX are using different memory 
operands during the course of one numeric instruction. 4s 


The two cases where data synchronization might be a concern are 


1. The 80286 CPU reads or alters a memory uatnes first, then invokes the 80287 to load or alter 
the same operand. 


2. ©The 80287 is invoked to load or alter a memory operand, after which the 80286 CPU reads or 
alters the same location. | 
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Due to the instruction synchronization of the NPX interface, data synchronization is automatically 
provided for the first case—the 80286 will always complete its operation before invoking the 80287. 


For the second case, data synchronization is not always automatic. In general, there is no guarantee 
that the 80287 will have finished its processing and accessed the memory operand before the 80286 
accesses the same location. 


Figure 2-9 shows examples of the two possible cases of the CPU and NPX sharing a memory value. In 
the examples of the first case, the CPU will finish with the operand before the 80287 can reference it. 
The NPX interface guarantees this. In the examples of the second case, the CPU must wait for the 
80287 to finish with the memory operand before proceeding to reuse it. The FWAIT instructions shown 
in these examples are required in order to ensure this data synchronization. 


There are several NPX control instructions where automatic data synchronization is provided; however, 
the FSTSW/FNSTSW, FSTCW/FNSTCW, FLDCW, FRSTOR, and FLDENV instructions are all 
guaranteed to finish their execution before the CPU can read or alter the referenced memory locations. 


The 80287 provides data synchronization for these instructions by making a request on the Processor 
Extension Data Channel before the CPU executes its next instruction. Since the NPX data transfers 
occur before the CPU regains control of the local bus, the CPU cannot change a memory value before 
the NPX has had a chance to reference it. In the case of the FSTSW AX instruction, the 80286 AX 
register is explicitly updated before the CPU continues execution of the next instruction. 


For the numeric instructions not listed above, the assembly-language programmer must remain aware 
of synchronization and recognize cases requiring explicit data synchronization. Data synchronization 
can be provided either by programming an explicit FWAIT instruction, or by initiating a subsequent 
numeric instruction before accessing the operands or results of a previous instruction. After the subse- 
quent numeric instruction has started execution, all memory references in earlier numeric instructions 
are complete. Reaching the next host instruction after the synchronizing numeric instruction indicates 
that previous numeric operands in memory are available. 


The data-synchronization function of any FWAIT or numeric instruction must be well-documented, as 
shown in figure 2-10. Otherwise, a change to the program at a later time may remove the synchronizing 
numeric instruction and cause program failure. 


is updated before FMUL is executed 
is now safe to use 


Figure 2-10. Documenting Data Synchronization 


2-47 | 122164-001 


s ® . | 
intel PROGRAMMING NUMERIC APPLICATIONS 


High-level languages automatically establish data synchronization and maneee it, but there may be 
applications where a high-level language may not be appropriate. 


For assembly-language programmers, automatic data synchronization can be obtained using the assem- 
bler, although concurrency of execution is lost as a result. To perform automatic data synchronization, 
the assembler can be changed to always place a WAIT instruction after the ESCAPE instruction. 
Figure 2-11 shows an example of how to change the ASM286 Code Macro for the FIST instruction to 
automatically place a WAIT instruction after the ESCAPE instruction. This Code Macro is included 
in the ASM286 source module. The price paid for this automatic data synchronization is the lack of 
any pose concurrency between the Cre and NPX. | : 


Error Synchronization 


Almost any numeric instruction can, under the wrong circumstances, produce a numeric error. Concur- 
rent execution of the CPU and NPX requires synchronization for these errors just as it does for data 
references and numeric instructions. In fact, the Sy HEUNADIZEHOn required for oe and instructions 
automatically provides error synchronization. ; 


Llowever incorrect ait or instruction synchronization may not be discovered until a numeric error 
occurs. A further complication is that a programmer may not expect his numeric program to-cause 
numeric errors, but in some systems, they may regularly happen. To better understand these points,. 
let’s look at what can Happen when the NPX detects an error. 


The NPX can perform one of two things hea: a numeric exception occurs: 


* The NPX can provide a detail fap for deleted: numeric errors. Programs can mask individual 
error types to indicate that the NPX should generate a safe, reasonable result whenever that error 
occurs. The default error fix-up activity is treated by the NPX as part of the instruction causing 
the error; no external indication of the error is given. When errors are detected, a flag is set in the 
numeric status register, but no information regarding where or when is available. If the NPX performs 

its default action for all errors, then error synchronization is never exercised. This is no reason to 
ignore error synchronization, however. 


e As an alternative to the NPX default fix-up of numeric errors, the 80286 CPU can be notified 
whenever an exception occurs. The CPU can then implement any sort of recovery procedures desired, 
for any numeric error detectable by the NPX. When a numeric error is unmasked and the error 


This is an ASM286 code macro to redefine the FIST 
instruction to prevent any concurrency 

while the instruction runs. A wait 

instruction is placed immediately after the 
escape to ensure the store is done 

before the program may continue. 


CodeMacro FIST memop: Mw. 
RfixM 111B, memop 

ModRM 010B, memop 

RWfix 

EndM 


Figure 2-11. Nonconcurrent FIST Instruction CodeMacro 
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occurs, the NPX stops further execution of the numeric instruction and signals this event to the 
CPU. On the next occurrence of an ESC or WAIT instruction, the CPU traps to a software excep- 
tion handler. Some ESC instructions do not check for errors. These are the nonwaited forms FNINIT, 
FNSTENV, FNSAVE, FNSTSW, FNSTCW, and FNCLEX. 


When the NPX signals an unmasked exception condition, it is requesting help. The fact that the error 
was unmasked indicates that further numeric program execution under the arithmetic and program- 
“ming rules of the NPX is unreasonable. 


If concurrent execution is allowed, the state of the CPU when it recognizes the exception is undefined. 
The CPU may have changed many of its internal registers and be executing a totally different program 
by the time the exception occurs. To handle this situation, the NPX has special registers updated at 
the start of each numeric instruction to describe the state of the numeric program when the failed 
instruction was attempted. 


Error synchronization ensures that the NPX is in a well-defined state after an unmasked numeric error 
occurs. Without a well-defined state, it would be impossible for exception recovery routines to figure 
out why the numeric error occurred, or to recover successfully from the error. 


INCORRECT ERROR SYNCHRONIZATION 


An example of how some instructions written without error synchronization will work initially, but fail 
when moved into a new environment is shown in figure 2-12. 


In figure 2-12, three instructions are shown to load an integer, calculate its square root, then increment 
the integer. The NPX interface and synchronous execution of the NPX emulator will allow this program 
to execute correctly when no errors occur on the FILD instruction. 


This situation changes if the 80287 numeric register stack is extended to memory. To extend the NPX 
stack to memory, the invalid error is unmasked. A push to a full register or pop from an empty register 
will cause an invalid error. The recovery routine for the error must recognize this situation, fix up the 
stack, then perform the original operation. 


The recovery routine will not work correctly in the first example shown in the figure. The problem is 
that the value of COUNT is incremented before the NPX can signal the exception to the CPU. Because 
COUNT is incremented before the exception handler is invoked, the recovery routine will load an 
incorrect value of COUNT, causing the program to fail or behave unreliably. 


INCORRECT ERROR SYNCHRONIZATION 
NPX instruction 
CPU instruction alters operand 
subsequent NPX instruction -- error from 
previous NPX instruction detected here 


PROPER ERROR SYNCHRONIZATION 
NPX instruction 
subsequent NPX instruction -- error from 
previous NPX instruction detected here 
CPU instruction alters operand 


Figure 2-12. Error Synchronization Examples 
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_ PROPER ERROR SYNCHRONIZATION 


Error Synchronization relies on the WAIT instructions required by instruction and data synchroniza- 
tion and the BUSY and ERROR signals of the 80287. When an unmasked error occurs in the 80287, 
it asserts the ERROR signal, signalling to the CPU that a numeric error has occurred. The next time 
the CPU encounters an error-checking ESC or WAIT instruction, the CPU acknowledges the ERROR 
signal by trapping automatically to Interrupt #16, the Processor Extension Error vector. If the follow- 
_ ing ESC or WAIT instruction is properly placed, ene CPU will not-yet have disturbed any information 
- vital to recovery from the error. 
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CHAPTER 3 
SYSTEM-LEVEL NUMERIC PROGRAMMING 


System programming for iAPX 286/20 systems requires a more detailed understanding of the 80287 
NPX than does application programming. Such things as emulation, initialization, exception handling, 
and data and error synchronization are all the responsibility of the systems programmer. These topics 
are covered in detail in the sections that follow. 


iAPX 286/20 ARCHITECTURE 


On a software level, the 80287 NPX appears as an extension of the 80286 CPU. On the hardware 
level, however, the mechanisms by which the 80286 and 80287 interact are a bit more complex. This 
section describes how the 80287 NPX and 80286 CPU interact and points out features of this inter- 
action that are of interest to systems programmers. 


Processor Extension Data Channel 


All transfers of operands between the 80287 and system memory are performed by the 80286’s internal 
Processor Extension Data Channel. This independent, DMA-like data channel permits all operand 
transfers of the 80287 to come under the supervision of the 80286 memory-management and protection 
mechanisms. The operation of this data channel is completely transparent to software. 


Because the 80286 actually performs all transfers between the 80287 and memory, no additional bus 
drivers, controllers, or other components are necessary to interface the 80287 NPX to the local bus. 
Any memory accessible to the 80286 CPU is accessible by the 80287. The Processor Extension Data 
Channel is described in more detail in Chapter Six of the 1APX 286 Hardware Reference Manual. 


Real-Address Mode and Protected Virtual-Address Mode 


Like the 80286 CPU, the 80287 NPX can operate in both Real-Address mode and in Protected mode. 
Following a hardware RESET, the 80287 is initially activated in Real-Address mode. A single, privi- 
leged instruction (FSETPM) is necessary to set the 80287 into Protected mode. 


As an extension to the 80286 CPU, the 80287 can access any memory location accessible by the task 
currently executing on the 80286. When operating in Protected mode, all memory references by the 
80287 are automatically verified by the 80286’s memory management and protection mechanisms as 
for any other memory references by the currently-executing task. Protection violations associated with 
NPX instructions automatically cause the 80286 to trap to an appropriate exception handler. 


To the programmer, these two 80287 operating modes differ only in the manner in which the NPX 
instruction and data pointers are represented in memory following an FSAVE or FSTENV instruction. 
When the 80287 operates in Protected mode, its NPX instruction and data pointers are each repre- 
sented in memory as a 16-bit segment selector and a 16-bit offset. When the 80287 operates in Real- 
Address mode, these same instruction and data pointers are represented simply. as the 20-bit physical 
addresses of the operands in question (see figure 1-7 in Chapter One). 
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Dedicated and Reserved I/O Locations 


The 80287 NPX does not require that any memory addresses be set aside for special purposes. The 
80287 does make use of I/O port addresses in the range OOF8H through OOFFH, although these I/O 
operations are completely transparent to the iAPX 286 software. iAPX 286 programs must not refer- 
ence ee reserved J /‘ O addresses directly. | | : 


To givens any secidental misuse or ‘ether tampering with numeric instructions in the 80287, the 80286’s 
I/O Privilege Level (IOPL) should be used in multiuser reprogrammable environments to restrict 
application program access to the I/O address space and so guarantee the integrity of 80287 compu- 
tations. Chapter Eight of the iAPX 286 Operating System Writer’s Guide contains more details regard- 
ing the use of the I/O Privilege Level. 


PROCESSOR INITIALIZATION AND CONTROL 


One of the principal responsibilities of systems software is the initialization, monitoring, and control of 
the hardware and software resources of the system, including the 80287 NPX. In this section, issues 
_ related to system initialization and control are described, including recognition of the NPX, emulation 

of the 80287 NPX in software if the hardware is not available, and the panne of et a oo 
may occur during the execution of the 80287. | 


System Initialization 
During nuieanon ot an iAPX 286 system, systems software must 


e Recognize the Bresence or absence of the NPX 
e Set flags in the 80286 MSW to reflect the state of the numeric environment 


If an 80287 NPX is present in the system, the NPX must be 


e Initialized 
¢ Switched into Protected Gee cc desiedy 


All of these activities can be quickly and easily performed as part of the overall system initiatization.. 


Recognizing the 80287 NPX 


During initialization, the 80286 is easily programmed to. recognize ine presence of the 80287 NPX. 
Figure 3-1 shows an example of such a recognition routine. | ae 


In the example, the 80286 assumes that the 80287 is present and executes an FNINIT instruction. 
Following the FNINIT instruction, the 80286 attempts to read the NPX status word. If the 80287 
NPX< is present, the lower eight bits of this word (the exception flags) will be all zeros. If an 80287 is 
not present, these data lines will have been floating. The iAPX 286 Hardware Reference Manual 
describes how to design the 80287 socket to ensure that at least one of these lower eight data lines 
floats high in the absence of the 80287. | — = 
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; initialization routine to detect an 80287 Numeric Processor 


FND_287: FNINIT; ; initialize Numeric Processor 
FSTSW ; retrieve 80287 status word 
OR ; test low-byte--80287 exception flags 
; if all zero, then 80287 present and 
properly initialized 
* if not all zero, then 80287 absent. 
GOT_287 ; branch if 80287 present 


AX * No Numeric Processor-- 

04H ; set EM bit in machine status word 

AX ; to enable software emulation of 80287 
CONTINUE | 


GOT_287: ; Numeric Processor present 
set MP bit in machine status word 
to permit normal 80287 operation 


CONTINUE: ; and off we go ... 


Figure 3-1. Software Routine to Recognize the 80287 


Configuring the Numerics Environment 


Once the 80286 CPU has determined the presence or absence of the 80287 NPX, the 80286 must set 
either the MP or the EM bit in its own machine status word accordingly. The initialization routine can 
either | : : r 


e Set the MP bit in the 80286 MSW to allow numeric instructions to be executed directly by the 
80287 NPX component : — | 


e Set the EM bit in the 80286 MSW to permit software emulation of the 80287 numeric instructions 


The Math Present (MP) flag of the 80286 machine status word indicates to the CPU whether an 80287 
NPX< is physically available in the system. The MP flag controls the function of the WAIT instruction. 
When executing a WAIT instruction, the 80286 tests only the Task Switched (TS) bit if MP is set; if 
it finds TS set under these conditions, the CPU traps to exception #7. 


The Emulation Mode (EM) bit of the 80286 machine status word indicates to the CPU whether NPX 
functions are to be emulated. If the CPU finds EM set when it executes an ESC instruction, program 
control is automatically trapped to exception #7, giving the exception handler the opportunity to emulate 
the functions of an 80287. The 80286 EM flag can be changed only by using the LMSW (load machine 
status word) instruction (legal only at privilege level 0) and examined with the aid of the SMSW (store 
machine status word) instruction (legal at any privilege level). 


The EM bit also controls the function of the WAIT instruction. If the CPU finds EM set while execut- 
ing a WAIT, the CPU does not check the ERROR pin for an error indication. 


For correct 80286 operation, the EM bit must never be set concurrently with MP. The EM and MP 
bits of the 80286 are described in more detail in the i:APX 286 Operating System Writer’s Guide. 
More information on software emulation for the 80287 NPX is described in the “80287 Emulation” 
section later in this chapter. 
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Initializing the 80287 — 


Initializing the 80287 NPX simply means placing the NPX in a known state unaffected by any activity 
performed earlier. The example software routine to recognize the 80287 (table 3-1) performed this 
initialization using a single FNINIT instruction. This instruction causes the NPX to be initialized in 
the same way as that caused by the hardware RESET signal to the 80287. All the error masks are set, 
all registers are tagged empty, the ST is set to zero, and default rounding, precision, and infinity 
controls are set. Table 3-1 shows the state of the 80287 NPX following initialization. 


Following a hardware RESET signal, such as after initial power-up, the 80287 is initialized in Real- 
Address mode. Once the 80287 has been switched to Protected mode (using the FSETPM instruction), 
only another hardware RESET can switch the 80287 back to Real- Address mode. The FNINIT 
instruction does not switch the operating state of the 80287. 


80287 Emulation 


If it is determined that no 80287 NPX is available in the system, systems software may decide to 
emulate ESC instructions in software. This emulation is easily supported by the 80286 hardware, because 
the 80286 can be configured to trap to a software emulation routine whenever it encounters.an ESC 
instruction in its instruction stream. . 


As described previously, whenever the 80286 CPU encounters an ESC instruction, and its MP and 
EM status bits are set appropriately (MP=0, EM=1), the 80286 will automatically trap to interrupt 
#7, the Processor Extension Not Available exception. The return link stored on the stack points to the 
first byte of the ESC instruction, including the prefix byte(s), if any. The exception handler can use 
this return link to examine the ESC instruction and proceed to emulate the numeric instruction in 
software. 


The siuilaton must step the return pointer SO that, upon return from “a exception handler, execution 
can resume at the first instruction following the ESC instruction. 


Table 3-1. NPX Processor State Following Initialization 


Interpretation 


Control Word | 
Infinity Control 2 ee A Projective 
Rounding Control — ~ 00 Round to nearest 
Precision Control : | : 64 bits 
Interrupt-Enable Mask ae | | Interrupts disabled 
Exception Masks All exceptions masked 


Status Word : | 
Busy oe a Not busy 
Condition Code . eh 2992... | _ (Indeterminate) 
Stack Top 000 |. | Empty stack . 
Interrupt Request | 0 No interrupt. 
Exception Flags 000000 No exceptions 


Tag Word 
_ . Tags : | : oe fos Empty 
Registers - nn en) here Not changed 
_ Exception Pointers _ ae | 
Instruction Code a Cr 2 Not changed — 


Instruction Address | NC. Not changed 
Operand Address . C. Not changed ~ 
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To an application program, execution on an iAPX 286/10 system with 80287 emulation is almost 
indistinguishable from execution on an iAPX 286/20 system, except for the difference in execution 
speeds. 


There are several important considerations when using emulation on an iAPX 286/10 system: 


e When operating in Protected-Address mode, numeric applications using the emulator must be 
executed in execute-readable code segments. Numeric software cannot be emulated if it is executed 
in execute-only code segments. This is because the emulator must be able to examine the particular 
numeric instruction that caused the Emulation trap. 


¢ Only privileged tasks can place the 80286 in emulation mode. The instructions necessary to place 
the 80286 in Emulation mode are privileged instructions, and are not typically accessible to an 
application. 


An emulator package (E80287) that runs on iAPX 286/10 systems is available from Intel in the 8086 
Software Toolbox, Order Number 122203. This emulation package operates in both Real and Protected 
mode, providing a complete functional equivalent for the 80287 emulated in software. 


When using the E80287 emulator, writers of numeric exception handlers should be aware of one slight 
difference between the emulated 80287 and the 80287 hardware: 


¢ On the 80287 hardware, exception handlers are invoked by the 80286 at the first WAIT or ESC 
instruction. following the instruction causing the exception. The return link, stored on the 80286 
stack, points to this second WAIT or ESC instruction where execution a resume following a 
return from the exception handler. : : 


e Using the E80287 emulator, numeric exception handlers are invoked from within the emulator itself. 
The return link stored on the stack when the exception handler is invoked will therefore point back 
to the E80287 emulator, rather than to the program code actually being executed (emulated). An 
IRET return from the exception handler returns to the emulator, which then returns immediately 
to the emulated program. This added layer of indirection should not cause confusion, however, 
because the instruction causing the exception can always be identified from the 80287’s instruction 
and data pointers. 


Handling Numeric Processing Exceptions 


Once the iAPX 286/20 system has been initialized and normal execution of applications has been 
commenced, the 80287 NPX may occasionally require attention in order to recover from numeric 
processing errors. This section provides details for writing software exception handlers for numeric 
exceptions. Numeric processing exceptions have already been introduced in previous sections of. this 
manual. : 


As discussed previously, the 80287 NPX can take one of two actions when it recognizes a numeric 
exception: 


e Ifthe exception is masked, the NPX will automatically perform its own masked exception response, 
correcting the exception condition conan to fixed rules, and then continuing with its instruction 
execution. 


e If the exception is unmasked, the NPX deca the exception to the 80286 CPU using the ERROR 
status line between the two processors. Each time the 80286 encounters an ESC or WAIT instruc- 
tion in its instruction stream, the CPU checks the condition of this ERROR status line. If ERROR 
is active, the CPU automatically traps to Interrupt vector #16, the Processor Extension Error trap. 
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Interrupt vector #16 typically points to a software exception handler, which may or may not be a part 
of systems. software. This exception handler takes the form of an 1:APX 286 interrupt procedure. 


When handling numeric errors, the CPU has two responsibilities: 


e The CPU must not disturb the numeric context when an error is detected. 


¢ The CPU must clear the error'and attempt recovery from the error. 


Although the manner in which programmers may treat these responsibilities varies from one imple- 
mentation to the next, most exception handlers will include these basic steps: 


e Store the NPX environment (control, status, and tag words, operand and instruction pointers) as it 
existed at the time of the exception. 


¢ Clear the exception bits in the status word. 

° Enable interrupts on the CPU. 

¢ Identify the exception by examining the status and control words in the save environment. 
¢ Take some system-dependent action to rectify the exception. 


¢ Return to the interrupted program and resume normal execution. 


It should be noted that the NPX exception pointers contained in the stored NPX environment will take 
different forms, depending on whether the NPX is operating in Real-Address mode or-in Protected 
mode. The earlier discussion of Real versus Protected mode details. how this information i is s presented 
in each of the two operating modes. 


Simultaneous Exception Response 


In cases where multiple exceptions arise eaneani the 80287 signals one exception according to 
the precedence sequence shown in table 3-2. This means, for example, that zero divided by zero will 
result in an invalid operation, and not a zero divide exception. 


- Exception Recovery Examples 


Recovery routines for NPX exceptions can take a variety of forms. They can change the arithmetic 
and programming rules of the NPX. These changes may redefine the default fix-up for an error, change 
the appearance of the NPX to the programmer, or change how arithmetic is defined on the NPX. 


A change to an error response might be to automatically normalize all denormals loaded from memory. 
A change in appearance might be extending the register stack into memory to provide an “‘infinite” 
number of numeric registers. The arithmetic of the NPX can be changed to automatically extend the 


Table 3-2. Precedence of NPX Exceptions 


Signaled First: Denormalized operand (if unmasked) _ 
Invalid operation | 
Zero divide 


Denormalized (if masked) 
Reet as | —Over/Underflow 
Signaled Last: — | _ Precision 
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precision and range of variables when exceeded. All these functions can be implemented on the NPX 
via numeric errors and associated recovery routines in a manner transparent to the application 
programmer. 


Some other possible system-dependent actions, mentioned previously, may include: 


¢ Incrementing an exception counter for later display or printing 
e Printing or displaying diagnostic information (e.g., the 80287 environment and registers) 
e Aborting further execution 


e Storing a diagnostic value (a NaN) in the result and continuing with the computation 


Notice that an exception may or may not constitute an error, depending on the implementation. Once 
the exception handler corrects the error condition causing the exception, the floating-point instruction 
that caused the exception can be restarted, if appropriate. This cannot be accomplished using the 
IRET instruction, however, because the trap occurs at the ESC or WAIT instruction following the 
offending ESC instruction. The exception handler must obtain from the NPX the address of the 
offending instruction in the task that initiated it, make a copy of it, execute the copy in the context of 
the offending task, and then return via IRET to the current CPU instruction stream. 


In order to correct the condition causing the numeric exception, exception handlers must recognize the 
precise state of the NPX at the time the exception handler was invoked, and be able to reconstruct the 
state of the NPX when the exception initially occurred. To reconstruct the state of the NPX, program- 
mers must understand when, during the execution of an NPX instruction, exceptions are actually 
recognized. 


Invalid operation, zero divide, and denormalized exceptions are detected before an operation begins, 
whereas overflow, underflow, and precision exceptions are not raised until a true result has been 
computed. When a before exception is detected, the NPX register stack and memory have not yet been 
updated, and appear as if the offending instructions has not been executed. | 


When an after exception is detected, the register stack and memory appear as if the instruction has 
run to completion; i.e., they may be updated. (However, in a store or store-and-pop operation, unmasked 
over/underflow is handled like a before exception; memory is not updated and the stack is not popped.) 
The programming examples contained in Chapter Four include an outline of several exception handlers 
to process numeric exceptions for the 80287. 
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CHAPTER 4 
NUMERIC PROGRAMMING EXAMPLES 


The following sections contain examples of numeric programs for the 80287 NPX written in ASM286. 
These examples are intended to illustrate some of the techniques for programming the iAPX 286/20 
computing system for numeric applications. 


CONDITIONAL BRANCHING EXAMPLES 


As discussed in Chapter Two, several numeric instructions post their results to the condition code bits 
of the 80287 status word. Although there are many ways to implement conditional branching following 
a comparison, the basic approach is as follows: 


e Execute the comparison. 
e Store the status word. (80287 allows storing status directly into AX register.) 
e Inspect the condition code bits. 


e Jump on the result. 


Figure 4-1 is a code fragment that illustrates how two memory-resident long real numbers might be 
compared (similar code could be used with the FTST instruction). The numbers are called A and B, 
and the comparison is A to B. 


The comparison itself requires loading A onto the top of the 80287 register stack and then comparing 
it to B, while popping the stack with the same instruction. The status word is then written into the 
80286 AX register. i 


A and B have four possible orderings, and bits C3, C2, and CO of the condition code indicate which © 
ordering holds. These bits are positioned in the upper byte of the NPX status word so as to correspond 
to the CPU’s zero, parity, and carry flags (ZF, PF, and CF), when the byte is written into the flags. 
The code fragment sets ZF, PF, and CF of the CPU status word to the values of C3, C2, and CO of » 
the NPX status word, and then uses the CPU conditional jump instructions to test the flags. The 
resulting code is extremely compact, requiring only seven instructions. 


The FXAM instruction updates all four condition code bits. Figure 4-2 shows how a jump table can be 
used to determine the characteristics of the value examined. The jump table (FXAM_TBL) is initial- 
ized to contain the 16-bit displacement of 16 labels, one for each possible condition code setting. Note 
that four of the table entries contain the same value, because four condition code settings correspond 
to “empty.” 


The program fragment performs the FXAM and stores the status word. It then manipulates the condi- 
tion code bits to finally produce a number in register BX that equals the condition code times 2. This 
involves zeroing the unused bits in the byte that contains the code, shifting C3 to the right so that it is 
adjacent to C2, and then shifting the code to multiply it by 2. The resulting value is used as an index 
that selects one of the displacements from FXAM_TBL (the multiplication of the condition code is 
required because of the 2-byte length of each value in FXKAM_TBL). The unconditional JMP instruc- 
tion effectively vectors through the jump table to the labelled routine that contains code (not shown in 
the example) to process each possible result of the FXAM instruction. 
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LOAD A ONTO TOP QF 287 STACK 
COMPARE A:B, POP A ; 
STORE RESULT TO CPU AX REGISTER 


CPU AX REGISTER CONTAINS CONDITION CODES (RESULTS OF 
COMPARE) | MS 
LOAD CONDITION CODES INTO CPU FLAGS 


A_B_UNORDERED ; TEST Ce 
ile ao ; TEST C0 
A_LEQUAL ; TEST C3 
A GREATER: * C0 CCF) C3 


A_EQUAL: ; CO (CF) C3 
AES S's ; CO (CF) 


A_B_UNORDERED: | ; C2 (PF) 


Figure 4-1. Conditional Branching for Compares 


; JUMP TABLE FOR EXAMINE ROUTINE 


FXAM_TBL DW POS _UNNORM, POS_NAN, NEG_UNNORM, NEG_NAN, 
POS NORM, POS_INFINITY, NEG_NORM, 
NEG_INFINITY, POS_ZERQ, EMPTY, NEG_ZEROQ, 
EMPTY, POS_DENORM, EMPTY, NEG_DENORM, EMPTY 


; EXAMINE ST AND STORE RESULT (CONDITION CODES) 
FXAM | 
FSTSW AX 


Figure 4-2. Conditional Branching for FXAM 
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CALCULATE OFFSET INTO JUMP TABLE 
BH, 0 * CLEAR UPPER HALF OF BX, 
BL,AH * LOAD CONDITION CODE INTO BL: | 
BL,00000111B ;s CLEAR ALL BITS EXCEPT C2-C0 
AH,01000000B * CLEAR ALL BITS EXCEPT C3 
AH,2 : SHIFT C3 TWO PLACES RIGHT 
BX, 1 ; SHIFT C2-C0 1 PLACE LEFT (MULTIPLY 
: BY 2) 
: DROP C3 BACK IN ADJACENT TO C2 
: COOOXXXX0) 


BL,AH 
TO THE ROUTINE ‘ADDRESSED’ BY CONDITION CODE 
FXAM _TBLI BX} 


HERE ARE THE JUMP TARGETS, ONE TO HANDLE 
EACH POSSIBLE RESULT OF FXAM 


i 
POS_UNNORM: 


POS_NAN: 
NEG_UNNORM: 
NEG_NAN: 
POS_NORM: 
POS_INFINITY: 
NEG_NORM: 
NEG_INFINITY: 
POS_ZERO: 
EMPTY: 
NEG_ZERO: 
POS _DENORM: 


NEG_DENORM: 


Figure 4-2. Conditional Branching for FXAM (Cont’d.) 


EXCEPTION HANDLING EXAMPLES 


There are many approaches to writing exception handlers. One useful technique is to consider the 
exception handler procedure as consisting of “prologue,” “body,” and “epilogue” sections of code. (For 
compatibility with the 80287 emulators, this procedure should be invoked by interrupt pointer (vector) 
number 16.) 


4-3 122164-001 


bed ® 
intel NUMERIC PROGRAMMING EXAMPLES 


At the beginning of the prologue, CPU interrupts have been disabled. The prologue performs all 
functions that must be protected from possible interruption by higher-priority sources. Typically, this 
will involve saving CPU registers and transferring diagnostic information from the 80287 to memory. 
When the critical processing has been completed, the prologue may enable CPU interrupts to allow 
higher-priority interrupt handlers to preempt the exception handler. 


The exception handler body examines the diagnostic information and makes a response that is neces- 
sarily application- dependent. This response may range from halting execution, to displaying a message, 
to attempting to repair the problem and proceed with normal execution. 


The epilogue essentially reverses the actions of the piciogie: restoring the CPU and the NPX so that 
normal execution can be resumed. The epilogue must not load an unmasked exception flag into the 
80287 or another exception will be requested immediately. 


Figure 4-3 through 4-5 show the ASM286 coding of three skeleton exception handlers. They show how 
prologues and epilogues can be written for various situations, but provide comments indicating only 
where the application-dependent exception handling body should be placed. 


Figure 4-3 and 4-4 are very similar; their only substantial difference is their choice of instructions to 
save and restore the 80287. The tradeoff here is between the increased diagnostic information provided 
by FNSAVE and the faster execution of FNSTENV. For applications that are sensitive to interrupt 
latency or that do not need to examine register contents, FNSTENV reduces the duration of the “‘criti- 
cal region,” during which the CPU will not recognize another interrupt request (unless it is a nonmask- 
able interrupt). 


After the exception handler body, the epilogues prepare the CPU and the NPX to resume execution 
from the point of interruption (i.e., the instruction following the one that generated the unmasked 
~ exception). Notice that the exception flags in the memory image that is loaded into the 80287 are 
cleared to zero prior to reloading (in fact, in these examples, the entire status word image is cleared). | 


The examples in figures 4-3 and 4-4 assume that the exception handler itself will not cause an unmasked. 
exception. Where this is a possibility, the general approach shown in figure 4-5 can be employed. The 
basic technique is to save the full 80287 state and then to load a new control word in the prologue. 

Note that considerable care should be taken when designing an exception handler of this type to preven: 
the handler from being reentered endlessly. 


SAVE_ALL PROC 
; SAVE CPU REGISTERS, ALLOCATE STACK SPACE 
; FOR 80287 STATE IMAGE 

PUSH BP 

MOV BP ,SP 

SUB SP ,94 


SAVE FULL 80287 STATE, WAIT FOR COMPLETION, 
ENABLE CPU INTERRUPTS 

FNSAVE (BP-94] 

FWATT 

STI 


APPLICATION-DEPENDENT EXCEPTIQN HANDLING 
CODE GOES HERE 


Figure 4-3. Full-State Exception Handler 
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CLEAR EXCEPTION FLAGS IN STATUS WORD 

RESTORE MODIFIED STATE 

IMAGE 
MOV BY ELE PLR TBP =92 15. <0 
FRSTOR [BP-94] 

DE-ALLOCATE STACK SPACE, RESTORE CPU REGISTERS 
MOV SP ..,..B:P 


POP BP 


* RETURN TO INTERRUPTED CALCULATION 
IRET 
SAV EA EL ENDP 


Figure 4-3. Full-State Exception Handler (Cont’d.) 


SAVE_ENVIRONMENT PROC 
i 
: SAVE CPU REGISTERS, ALLOCATE STACK SPACE 
* FOR 80287 ENVIRONMENT 
PUSH BP 


MOV BP yor 

SUB Seat 4 
SAVE ENVIRONMENT, WAIT FOR COMPLETION, 
ENABLE CPU INTERRUPTS 

FNSTENV ([BP-141 

FWAIT 

STI 


APPLICATION EXCEPTION-HANDLING CODE GOES HERE 


CLEAR EXCEPTION FLAGS IN STATUS WORD 
RESTORE MODIFIED 
ENVIRONMENT IMAGE 
MOV BYTE (PTR €BP =1:215. 0/0 
FLDENV [BP-14] 
DE-ALLOCATE STACK SPACE, RESTORE CPU REGISTERS 
MOV oP 4 BP 
POP BP 


RETURN TO INTERRUPTED CALCULATION 
IRET 
SAVE_ENVIRONMENT ENDP 


Figure 4-4. Reduced-Latency Exception Handler 
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LOCAL_CONTROL DW ? * ASSUME INITIALIZED 


REENTRANT PROC 


“se we awe we we 


; SAVE CPU REGISTERS, ALLOCATE STACK SPACE FOR 


80287 STATE IMAGE 


PUSH BP 
MOV. BP,SP 
SUB SP, 94 


SAVE STATE, LOAD NEW CONTROL WORD, 
FOR COMPLETION, ENABLE CPU INTERRUPTS 
FNSAVE (BP-94] 
FLDCW LOCAL_CONTROL 
STI 


APPLICATION EXCEPTIQN HANDLING CODE GOES HERE. 
AN UNMASKED EXCEPTION GENERATED HERE WILL | 
CAUSE THE EXCEPTION HANDLER TO BE REENTERED. 
IF LOCAL STORAGE IS NEEDED, IT MUST BE 
ALLOCATED ON THE CPU STACK. 


CLEAR EXCEPTION FLAGS IN STATUS WORD 
RESTORE MODIFIED STATE IMAGE 
MOV BYTE PTR [CBP-921, OH 
FRSTOR [BP-94] 
DE-ALLOCATE STACK SPACE, RESTORE CPU REGISTERS 


MOV SP ,BP 
POP BP 

;s RETURN TO POINT OF INTERRUPTION 
IRET 

REENTRANT ENDP 


Figure 4-5. Reentrant Exception Handler 
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FLOATING-POINT TO ASCII CONVERSION EXAMPLES 


Numeric programs must typically format their results at some point for presentation and inspection by 
the program user. In many cases, numeric results are formatted as ASCII strings for printing or display. 
This example shows how floating-point values can be converted to decimal ASCII character strings. 
The function shown in figure 4-6 can be invoked from PL/M-286, Pascal-286, FORTRAN-286, or 
ASM286 routines. 


Shortness, speed, and accuracy were chosen rather than providing the maximum number of significant 
digits possible. An attempt is made to keep integers in their own domain to avoid unnecessary conver- 
sion errors. | 


Using the extended precision real number format, this routine achieves a worst case accuracy of three 
units in the 16th decimal position for a noninteger value or integers greater than 10'*. This is double 
precision accuracy. With values having decimal exponents less than 100 in magnitude, the accuracy is 
One unit in the 17th decimal position. 


Higher precision can be achieved with greater care in programming, larger program size, and lower 
performance. 


iAPX286 MACRO ASSEMBLER 80287 Floating-Point to 18-Digit ASCII Conversion 10:12:38 09/25/83 PAGE 


SERIES-III iAPX286 MACRO ASSEMBLER X1C08 ASSEMBLY OF MODULE FLOATING_TO_ASCII 

OBJECT MODULE PLACED IN :F3:FPASC. OBJ 

ASSEMBLER INVOKED BY: ASM286. 86 :F3:FPASC. AP2 

LOC OBJ LINE SOURCE 

$title("80287 Floating-Point to 18-Digit ASCII Conversion") 
name floating to_ascii 


public floating _to_ascii 
extrn get_power_10: near, tos_status: near 


QOnNGCOAWN 


This subroutine will convert the floating point number in tne 
top of the 80287 stack to an ASCII string and separate power of 10 
scaling value (in binary). The maximum width of the ASCII string 
formed is controlled by a parameter which must be > 1. Unnormal values, | 
denormal values, and psuedo zeroes will be correctly converted. 
A returned value will indicate how many binary bits of 
precision were lost in an unnormal or denormal value. The magnitude 
(in terms of binary power) of a psuedo zero will also be indicated 
Integers less than 10##16 in magnitude are accurately converted if the 
destination ASCII string field is wide enough to hold all the 
digits. Otherwise the value is converted to scientific notation. 


The status of the conversion is identified by the return value, 
it can be: 


conversion complete, string _size is defined 
invalid arguments 

‘exact integer conversion, string size is defined 
indefinite 

+ NAN (Not A Number) 

- NAN 

+ Infinity 

- Infinity 

psuedo zero found, string size is defined 


The PLM/286 calling convention is: 


+ floating to_ascii: 
; procedure (number, denormal_ptr,string_ptr,size_ptr, field size, 
power _ptr) word external: 

declare (denormal_ptr, string _ ptr, power_ptr,size_ ptr) pointer: 
declare field size word, string_size based size _ptr word; 
declare number reali 
declare denormal integer based denormal_ptri 
declare power integer based power_ptri 
end floating to_ascii; 


The floating point value is expected to be on the top of the NPX 
stack. This subroutine expects 3 free entries on the NPX stack and 
will pop the passed value off when done. The generated ASCII string 
will have a leading character either ‘-’ or ’+’ indicating the sign 
of the value. The ASCII decimal digits will immediately follow. 

The numeric value of the ASCII string is (ASCII STRING. )#10##POWER. 


Figure 4-6. Floating-Point to ASCII Conversion Routine 
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LOC OBJ 


OO00r] 
0002 T] 
0004] 
Q006f] 
000sr) 
OOOALT J 
Qooccy 
OOQOEL] 


QO0A . 


0012 
0002 
OOOA 
0001 
0004 
0006 
0003 
0008 
-0002 
~-0004 
-0006 
~0008 
6000 
0002 


~0002T) 
~0004C) 
-0006T) 
-00100) 
~001003 
-00100) 


0010 


0000 OA00 


0002 FB 
0003 04 
0004 F9 
0005 05 
0006 00 
0007 06 
0008 01 
0009 07 
OOOA FC 
OOOB FE 
oooc FD 
OOOD FE 
OOOE FA 
OOOF FE 
0010 FB 
0011 FE 


80287 Floating-Point to 18-Digit ASCII Conversion 10:12:38 09/25/83 PAGE 
LINE SOURCE 

ro | i If the given number was zero, the ASCII string will contain a sign 

52 i and a single zero chacter. The value string_size indicates the total: 
93 i length of the ASCII string including the sign character. String(O) will 
54 i always hold the sign. It is possible for string size to be less than 

5S i field size. This occurs for zeroes or integer values. A psuedo zero 

56 j will return a special return code. The denormal count will indicate 

57 i the power of two originally associated with the value. The power of 

58 i ten and ASCII string will be as if the value was an ordinary zero 

59 ; 

, 60 j This subroutine is accurate up to a maximum of 18 decimal digits for — 
61 i integers. Integer values will have a decimal power of zero associated 
62 i with them. For non integers, the result will be accurate to within 2 
63 i decimal digits of the 14th decimal place (double precision). The 
64 } exponentiate instruction is also used for scaling the value into the 
45 i Tange acceptable for the BCD data type. The rounding mode in effect 
66 ; on entry to the subroutine is used for the conversion. 

67 j 

68 i ‘The following registers are not transparent: 

69 i 

70 i ax bx cx dx si di flags 

71 i 

72 +1 $eyect 

73 ; 

74 i Define the stack layout 

735 i 

76 bp_save equ word ptr CbpJ 

77 es_save equ bp_save + size bp_save 

78 return_ptr equ es save + size esS_save 

79 power ptr equ return _ptr + size return_ptr 

80 field size equ power _ptr + size power_ptr 

81 size_ptr equ field size + size field_size 

82 string ptr equ size ptr + size size_ptr 

83 denormal_ptr equ string_ptr + size string_ptr 

84 

85 parms_size equ size power_ptr + size field_size + size size_ptr + 
86 & size string _ptr + size denormal_ptr 
87 j 

88 i Define constants used 

90 BCD_DIGITS equ 18 i Number of digits in bed value 

91 WORD_SIZE equ 2 , 
92 BCD_SIZE equ 10 

93 MINUS equ 1 + Define return values 

94 NAN equ 4 + The exact values chosen here are 
93 INFINITY equ & + important. They must correspond to 
96 INDEFINITE _ equ 3 i the possible return values and be in 
97 PSUEDO_ZERO equ 8 i the same numeric order as tested by 
98 INVALID equ -2. + the program. 

99 ZERO equ 4 

100 DENORMAL equ - -6 

101. UNNORMAL equ -8 

102 NORMAL equ 0 

103 EXACT - equ 2 

104 i 

105 A Define layout of temporary storage area. 

106 i : 

107 status equ word ptr Cbp-WORD_SIZEJ 

108 power two equ status —- WORD SIZE 

109 power_ten equ power_two — WORD_SIZE 

110 bed_ value equ tbyte ptr power_ten - BCD_SIZE 

111 bcd_byte equ byte ptr bcd value 

112 fraction equ . bcd_value 

113 ; 

114 local_size equ size status + size power_two + size power_ten 

115 & : +: size bed_value 

116 ; 

117 stack stackseg (local_size+S) ; Allocate stack space for locals 

118 +1 #eyect . 

119 code segment er public 
120 exttrn ‘power_table: qword 
121 i 
122 i Constants used. by this function. 

123 i at 
124 even i Optimize for 16 bits 
125 const10 dw 10 i Adygustment value for too big BCD 
126 i m % 

127 i Convert the C3,C2,C1,CO encoding from tos_status into meaningful bit 
128 ; flags and values. 

129 i 
130 status_table db UNNORMAL, NAN, UNNORMAL + MINUS, .NAN + MINUS, 

131 & NORMAL, INFINITY, NORMAL + MINUS, INFINITY + MINUS, 
132 & ZERO, INVALID, ZERO + MINUS, INVALID, 

133 


NUMERIC PROGRAMMING EXAMPLES 


& * ; DENORMAL, INVALID, DENORMAL + MINUS, INVALID 


Figure 4-6. Floating-Point to ASCIl Conversion Routine (Cont’d.) 
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Loc OBJ LINE 
134 
0012 135 
136 
0012 E80000 E 137 
0015 8BD8 138 
0017 2E8A870200 R 139 
O01C 3CFE 140 
OO1E 752B 141 
142 
143 
144 
0020 C20A00 145 
146 
147 
148 
0023 149 
150 
0023 DDDS 151 
0025 EBO2 152 
153 
154 
155 
0027 156 
157 
0027 BOFE 158 
159 
0029 140 
141 
0029 C9 162 
002A 07 163 
002B C20A00 164 
165 
166 
167 
168 
O02E 149 
170 
OO2ZE DB7EFO i171 
0031 As01 172 
0033 9B 173 
0034 74F3 174 
175 
0036 BBOOCO 176 
0039 2BSEF4& 177 
003C OBSEF4 178 
OOSF OBSEF2 179 
0042 OBSEFO 180 
0045 75E2 181 
182 
0047 BOOS 183 
0049 EBDE 184 
185 
186 
187 
188 
004B 189 
190 
004B 04 191 
004C C8100000 192 
193 
00SO 8B4E08 194 
0053 83F902 195 
005& 7CCF 196 
197 
0058 49 198 
0059 83F912 199 
OOSC 7603 200 
201 
OOSE B91200 202 
203 
0061 204 
205 
0061 3C06 206 
0063 7DBE 207 
208 
0065 3C04 209 
0067 7DCS 210 
211 
212 
213 
0049 D9E1 214 
215 
OO6B SBDO 216 
006D 33C0 217 
OQ4&F SB7EOE 218 
0072 8905 219 
0074 SB5E06 220 
0077 8907 221 
0079 SOFAFC 222 
007C 732B 223 
224 
OO7E 8S0OFAFA 225 
0081 732C 226 
227 
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floating to_ascii proc 


call tos_ status i Look at status of ST(0O) 
mov bx, ax > Get descriptor from table 
mov al, status_tablelbx) 
cmp al, INVALID + Look for empty ST(O) 
yne not_empty 

ST(O) is empty! Return the status value 
Tet parms_size 


Remove infinity from stack and exit. 


‘found _ infinity: 


i 
i 


i 


st(QO) i 
short exit_proc 


fstp OK to leave fstp running 


ymp 


String space is too small! Return invalid code. 


small_string: 


exit proc: 


ee 


mov al, INVALID 
leave + Restore stack 
pop es 
ret parms_size 
ST(O) is NAN or indefinite. Store the value in memory and look 


at the fraction field to separate indefinite from an ordinary NAN. 


NAN_or_indefinite: 


i 
i 
; 
i 


fstp fraction i Remove value from stack for examination 
test al, MINUS i Look at sign bit 

fwait i Insure store is done 

jz exit proc i Can’t be indefinite if positive 

mov bx, OCOOOH i Match against upper 16 bits of fraction 
sub bx,word ptr fraction+& i Compare bits 43-48 

or bx,word ptr fraction+4 ; Bits 32-47 must be zero 

or bx,word ptr fraction+2 i Bits 31-16 must be zero 

or bx,word ptr fraction i; Bits 15-0 must be zero 

gnz exit proc 

mov al, INDEFINITE i Set return value for indefinite value 
jmp exit proc 


Allocate stack space for local variables and establish parameter 
addressibility. 


not_empty: 

push es i Save working register 

enter local_size,9O i Format stack 

mov cx, field size i Check for enough string space 

cmp cx,a2 

jl small_string 

dec cx ) Adjust for sign character 

cmp cx, BCD_DIGITS i See if string is too large for BCD 

ybe size_ok 

mov cx, BCD_DIGITS i Else set maximum string size 
size_ok: 

emp al, INFINITY i Look for infinity 

yge found_infinity i Return status value for + or — inf 

cmp al, NAN ; Look for NAN or INDEFINITE 

ige NAN_or_indefinite 


Set default return values and check that the number is normalized 


fabs i Use positive value only 
i sign bit in al has true sign of value 
mov dx, ax i Save return value for later 
xor ax, ax i Form O constant 
mov di,denormal_ptr i Zero denormal count 
mov word ptr Cdil, ax 
mov bx, power_ptr i Zero power of ten value 
mov word ptr: CbxJ, ax 
cmp dl, ZERO i Test for zero 
jae Teal_zero i Skip power code if value is zero 
cmp dl, DENORMAL i Look for a denormal value 
jae found_denormal °: : i Handle it specially 


Figure 4-6. Floating-Point to ASCII Conversion Routine (Cont’d.) 
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LOC 


0083 
0085 
0088 


008A 


oosD 
OO8F 


OO8F 
0071 
0093 


0095 
0097 
0099 


0098 
009D 


OO?F 
OOA1 


00A3 
OOAG 


OO0A9 


OOA9? 
OOAC 


OOAF 


OOAF 
OOB1 
OOB3 


ooBs 


00B7 
OOB9 
OOBC 
OOBE 
00co 
00c3 
00Ccé 


ooce 


OOCA 
OOCA 


OOCA 
oocD 
OCDO 


oob2 
0OD4 


OBJ 


D9F4 
BOFAFS 
7240 


S0EA4FS 


D9E8 


DCC1 
DEE9 
D9OF4 


DIC? 
DF15 
DEC2 


F71D 
752B 


D9C9 
DF1D 


B0EAFS 
E9A400 


SOEAFC 
E99E00 


DIES 
D9C9 
D9FS 


D9F4 


DIES 
9BDFEO 
D9C9 
D9ICA 
BOEAFA 
490044 
74C7 


DDDS 


DB7EFO 
DFS6FC 
DIEC 


DEC9 
DFSEFA 
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228 fxtract + Separate exponent from significand 
229 cmp di, UNNORMAL i Test for unnormal value 

230 yb normal value 

231 ee 

232 sub dl, UNNORMAL-NORMAL ) Return normal status with correct sign 
233 i : ; 
234 H Normalize the fraction, adjust the power of two in ST(1) and set 

235 i the denormal count value. ; 

236 i 

237 i Assert: O <= ST(Q) <¢ 1.0 

238 ; 

239 fldi i Load constant to normalize fraction 
240 

241 normalize_fraction: 

242 

243 fadd st(1),st + Set integer bit in fraction 

244 fsub 3 Form normalized fraction in ST(O) 

245 fxtract > Power of two field will be negative 
246 3; of denormal count : 

247 fxch s Put denormal count in ST(0) 

248 Fist word ptr Cdid + Put negative of denormal count in memory 
249 faddp st(2),st 3 Form correct power of two in st(1) 
250 + OK to use word ptr EdiJ now 

esi neg word ptr Cdid i Form positive denotrmal count 

252 ynz not _psuedo_zero 

253 i 

254 i A psuedo zero will appear as an unnormal number. When attempting 

255 i to normalize it, the resultant fraction field will be zero. Performing 
256 i an fxtract on zero will yield a zero exponent value 

257 i 

258 fxch i Put power of two value in st(0O) 

259 fistp word ptr (dil i Get denormal count to power of two value 
260 i Word ptr Cdil is not used by convert 
261 i integer, OK to leave running 

262 sub d1, NORMAL~PSUEDO_ZERO + Set return value saving the sign bit 
263 ymp convert_integer i Put zero valve into memory 

264 i ; 

265 i The number is a real zero, set the return value and setup for 

266 | i conversion to BCD. 

267 i 

268 Teal_zero: 

269 

270 sub d1, ZERO-NORMAL i Convert status to normal value 

271 Jmp convert_integer i Treat the zero as an integer 

272 i —_ 

273 i The number is a denormal. FXTRACT will not work correctly in this 
274 i case. To correctly separate the exponent and fraction, add a fixed 

275 i constant to the exponent to guarantee the result is not a denormal. 

276 i 

277 found _denormal: 

278 

279 fld1 + Prepare to bump exponent 

280 fxch . 

261 fprem - 3 Force denormal to smallest representable 
282 i extended real format exponent 

283 fxtract +; This will work correctly now 

284 i 

285 i The power of the original denormal value has been safely isolated 

286 i Check if the fraction value is an unnormal. 

287 i 

288 fxram + See if the fraction is an unnormal 
289 fstsw ax i Save 80287 status in CPU AX reg for later 
290 fxch + Put exponent in STO) 

291 fxch st(2) s Put 1.0 into ST(O), exponent in ST(2) 
292 sub d1, DENORMAL-NORMAL i Return normal status with correct sign 
293 test ax, 4400H i See if C3=C2=0 impling unnormal or NAN 
294 Jz normalize fraction i Jump if fraction is an unnormal 

295 

‘296 fstp st(O) i Remove unnecessary 1.0 from st(0) 

297 i 

298 i Calculate the decimal magnitude associated with this number to 

299 i within one order. This error will always be inevitable due to 

300 i rounding and lost precision. As a result, we will deliberately fail 
301 i to consider the LOG1O of the fraction value in calculating the order 
302 i Since the fraction will always be 1 <= F < 2 its LOG1O will not change 
303 i the basic accuracy of the function. To get the decimal order of magnitude, 
304 i simply multiply the power of two by LOGiI0(2) and truncate the result to 
305 i an integer. 

3064 i 

307 normal_value: 

308 not_psuedo zero: 

309 

310 fstp fraction 3 Save the fraction field for later use 
311 Fist power two 3 Save power of two 

312 fldlg2 s Get LOG10(2) 

313 + Power_two is now safe to use 

314 fmul : + Form LOG1OCof exponent of number) 

315 fistp power_ten + Any rounding mode will work here 

316 ; : 

317 i. Check if the magnitude of the number rules out treating it as 

318 i an integer. 

319 i ce : 

320 i CX has the maximum number of decimal digits allowed 

321 ; , 


Figure 4-6. Floating-Point to ASCII Conversion Routine (Cont’d.) 
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Loc 


0OD7 
OODS 
OODB 
OODD 


OODF 
OOE2 
OOE4 
O0E7 
OOEA 
OOEC 
OOEE 
OOFO 
OOF2 
OOF6 
OOFB 


OOFD 
OOFF 


0101 


o101 
0103 


0105 


0108 
010B 
010D 
OLOF 
O1it 
0113 
0115 
0118 
O11A 
011C 


O11E 
O11E 
0123 
0126 
0129 
012B 
0130 
0133 
0135 
0137 
0137 
013C 
O13F 
0142 


0144 
0149 


014B 


0148 


o14D 


014D 


0150 


OBU 


9B 
8B446FA 
2Bct 
7722 


DF46FC 
BBF2 
SOEAFE 
DBSEFO 
D9FD 
DDD1 
D9FC 
D8D9 
9BDD7EFE 
F746FE0040 
73550 


DDDS 
BBD4 


8907 
F7D8 


E80000 E 


DB6EFO 
DEC? 
SBF1i 
D1E6 
D1E6 
D1E6 
DF44FC 
DEC2 
D9FD 
DDD? 


2EDC940800 E 


FBDFEO 
A90041 
750C 


2EDE360000 R 
80E2FD 

FFO7 

EBi4 


2EDC940000 E 
9BDFEO 

A90001 

7407 


2EDEOEO000 R 
FFOF 


D9OFC 


DF76FO 


BEO800 


80287 Floating-Point to 18-Digit ASCII Conversion 


LINE 


322 
323 
324 
325 
326 


327 
328 
329 
330 
331 
332 
333 
334 
335 
336 
337 
338 
339 
340 
341 
342 
343 
344 
345 
346 
347 
348 
a49 
350 
351 
352 
353 
354 
355 
356 
357 
358 
359 
360 
361 
362 
363 
364 
3465 
366 
367 
368 
369 
370 
371 
372 
373 
374 
3795 
376 
377 
378 
379 
380 
381 
382 
383 
384 
385 
386 
387 
388 
389 
390 
391 
392 
393 
394 
395 
396 
397 
398 
399 
400 
401 
402 
403 
404 
405 
406 
407 
408 
409 
410 
411 
412 
413 
414 
415 


SOURCE 


fuait 
mov 
sub 
ja 


Test if 


a re 


fild 
mov 
sub 
fld 
fscale 
fst 
frndint 
fcomp 
fstsu 
test 
jnz 


fstp 
mov 


Scale 


The scaling operation should produce a number within one decimal order 


Wait for power_ten to be valid 
ax, power_ten Get power of ten of value 
ax, cx 


adyust_result 


-~- ee we 


Jump if number will not fit 


The number is between 1 and 10#*(field_ size) 


it is an integer 


power_two i) Restore original number 


si,dx i Save return value 
d1, NORMAL~EXACT i Convert to exact return value 
fraction 

i Form full value, this is safe here 
stl) i Copy value for compare 

i Test if its an integer 

i Compare values 
status i Save status 


status, 4000H C3=1 


convert_integer 


implies it was an integer 


st(0) ; 
dx, si i 


Remove non integer value 
Restore original return value 


the number to within the range allowed by the BCD format. 


of magnitude of the largest decimal number representable within the 


The scaling power of ten value is in ax. 


i given string width. 
i 


adyust_result: 


mov 
neg 


call 


fld 
fmul 
mov 
shl 
shl 
shl 
fild 
faddp 
fscale 
fstp 


result 


est_power: 


fcoom 


fstsu 
test 
jynz 
fidiv 
and 

inc 

Jmp 

test _for_small: 

fcom 


fstsw 
test 


JZ 


fimul 
dec 


in_range: 
frndint 


Assert: 
The TOS 


onvert_integer: 
fbstp 


While 
ASCII. 


a 


mov 


word ptr CbxJ,ax 
ax Subtract one for each order of 

magnitude the value is scaled by 
get_power_10 
and fraction 


wee ee ew we 


fraction Get fraction 
Combine fractions 

si,cx Form power of ten of the maximum 
si,1 BCD value to fit in the string 
si,l Index in si 
si,l 
power two i Combine powers of two 
st(2),s5t 

i Form full value. exponent was safe 
st(1) i Remove exponent 


Test the adyusted value against a table of exact powers of ten. 
The combined errors of the magnitude estimate and power function can 
in a valve one order of magnitude too small or too large to fit 
correctly in the BCD field. 
adyusted value, 
adjust the power of ten value 


To handle this problem, pretest the 


if it is too small or large, 


power_tableCsil+type power_table: 
i entry. 
i has been decremented by one 

ax i No wait is necessary 

ax, 4100H i If C3 = CO = 0 then too big 

test_for_small 


const10 

dl,not EXACT 
word ptr CEbxJ 
short in_range 


Else adjust value 

Remove exact flag 

Adyust power of ten value 

Convert the value to a BCD integer 


power_tableCsil Test relative size 


ax i No wait is necessary 

ax, 100H + If CO = O then st(0) >= lower bound 
in_range + Convert the value to a BCD integer 
const10 i Adjust value into range 


word ptr CbxJ i Adjust power of ten value 


i Form integer value 


O <= TOS <= 999, 999, 999, 999, 999, 999 
Number will be exactly representable in 18 digit BCD format 


bed_value 3 Store as BCD format number 


the store BCD runs, setup registers for the conversion to 


si, BCD_SIZE-2 i Initial BCD index value 


Figure 4-6. Floating-Point to ASCII Conversion Routine (Cont’d.) 
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Form scaling factor necessary in ax 


Set initial power of ten return value 


then adjust it by ten and 


Compare against exact power 
Use the next entry since cx 


10:12:38 09/25/83 PAGE r] 


Scaling factor is returned as exponent 
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. LAPX286 MACRO ASSEMBLER 80287 Floating-Point to 18-Digit ASCII Conversion 10:12:38 09/25/83 PAGE & 
Loc OBYV LINE SOURCE 
0153 B9O40F 416 mov cx, OFO4h » Set shift count and mask 
0156 BBO100 417 mov bx, 1 i Set initial size of ASCII field for sign 
0159 8B7E0C 418 mov di, string ptr i Get address of start of ASCII string 
015C 8cDs 419 mov ax,ds i Copy ds to es 
O1SE 8ECO 420 mov es, ax . 
0160 FC 421 eld i Set autoincrement mode 
0161 BO2B 422 mov al, /+’" 3 Clear sign field 
0163 F6C201 423 test d1,MINUS i Look for negative value 
0166 7402 424 jz positive _result 
425 
0168 BoO2D 426 © mov al, ‘-‘ 
427 
O16A 428 positive_result: 
, 429 
O16A AA ; 430 stosb i Bump string pointer past sign 
016B S0E2FE '- 431 and dl,not MINUS + Turn off sign bit 
O16E 9B 432 fwait i Wait for fbstp to finish 
433 5 
434 i Register usage: 
435 i ah: BCD byte value in use 
436 i al: ASCII character value 
437 i dx: Return value 
438 i ch: BCD mask = OFfh 
439 i cl: BCD shift count = 4 
440 i bx: ASCII string field width 
441 i si: BCD field index 
442 i di: ASCII string field pointer 
443 i ds,es: ASCII string segment base 
444 i ; 
445 i Remove leading zeroes from the number. 
446 i 
O16F 447 skip_leading_zeroes: 
448 
O16F B8A62F0 449 mov ah, bed _ bytelsil i Get BCD byte 
0172 BAC4 450 mov al,ah 3 Copy value 
0174 D2E8 451 shr al,cl 3 Get high order digit 
0176 22C5 452 and al,ch i Set zero flag 
0178 7516 453 ynz enter_odd ; Exit loop if leading non zero found 
454 
O17A BAC4 . 455 mov al,ah i Get BCD byte again 
017C 22C5 456 and al,ch > Get low order digit 
O17E 7518 457 gnz enter_even 5 Exit loop if non zero digit found 
458 
0180 4E 459 dec si +; Decrement BCD index 
0181 79EC 460 Jns skip_lLeading zeroes 
461 i 
462 i The significand was all zeroes 
463 i 
0183 BO30 ; 464 mov al, ’0’ i Set initial zero 
0185 AA 465 stosb 
0186 43 446 inc bx i Bump string length 
0187 EB16 467 gmp short exit_with value 
468 i 
449 i Now expand the BCD string into digit per byte values 0-9 
470 i 
0189 471 digit_loop: 
472 
0189 BA62F0 473 mov ah, bed_bytelsil is Get BCD byte 
018C 8AC4 474 mov al, ah 
O18E D2E8 475 shr al.cl + Get high order digit 
476 
0190 477 enter_odd: 
478 
0190 0430 479 add al, ‘QO’ i Convert to ASCII 
0192 AA 480 stosb i Put digit into ASCII string area 
‘0193 BAC4 481 mov al,ah i Get low order digit 
0195 22CS 482 and al,ch 
0197 43 483 inc bx '; Bump field size counter 
484 
0198 485 enter_even: 
486 
0198 043 487 add al, ’0’ + Convert to ASCII 
O19A AA 488 stosb > Put digit into ASCII area 
019B 43 489 inc bx i Bump field size counter 
O19C 4E 490 dec si i Go to next BCD byte 
O19D 79EA 491 yns digit _loop 
492 i 
493 i Conversion complete. Set the string size and remainder 
; 494 i 
O19F 495 exit_with valve: 
496 
0O19F BB7EOA 497 mov di,size_ptr 
01A2 891D 498 mov word ptr CdiJ,bx 
01A4 SBC2 499 _ mov ax, dx 3; Set return valve 
0146 ESS0FE 500 gmp exit_proc 
901 
502 floating to_ascii endp 
---- 503 code ends 
504 end 


‘ASSEMBLY COMPLETE, NO "WARNINGS, NO ERRORS 


Figure 4-6. Floating-Point to ASCII Conversion Routine (Cont’d.) 
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iAPX286 MACRO ASSEMBLER Calculate the value of 10*#ax 12:11:08 09/25/83 PAGE 1 
Loc OBJ LINE SOURCE 
1 +1 $title("Calculate the value of 10##ax") 
2 i 
3 i This subroutine will calculate the value of 10##ax. 
4 ; For values of O <= ax € 19, the result will exact. 
5 i All 80286 registers are transparent and the valve is returned on 
& ; the TOS as two numbers, exponent in ST(1) and fraction in ST(O). 
7 i The exponent value can be larger than the largest exponent of an 
8 ; extended real format number. Three stack entries are used 
9 5 
10 name get_power_10 
11 
i2 j public get _power_10, power_table 
13 
=== 14 stack stackseg 8 
15 
s-s= 16 code segment er public 
17 i 
18 i Use exact values from 1.0 to 1e18 
19 ; 
20 even i Optimize 16 bit access 
0000 O00000000000F 0 21 power_table dq 1.0, 1lel1,1e2, le3 
SF 
0008 00000000000024 
40 
0010 00000000000059 
40 
0018 GCO00000000408F 
40 
0020 000000000088C3 22 dq te4,1e5, ted, le7 
40 
0028 O0COQ000000S6AFB 
40 
0030 0000000080842E 
41 
0038 00000000D012463 
41 
0040 0000000084D797 23 dq 1e8,1e9,1e10, lel 
41 
0048 O00OC0000465SCDCD 
44 
0050 O00000205FA002 
42 
0058 000000E8764837 
42 
0060 000000A2941A6D 24 dq . leid, le13, 1e14,1e15 
42 
0068 OO0O40ES9C30A2 
42 
0070 OOOO901EC4BCDS 
42 
0078 000034246F 56B0C 
49 
0080 0080E03779C341 25 dq 1e16, lel7, 1e18 
43 
0088 00A0D885573476& 
43 
0090 OOCB84E4&74DC1AB 
43 
26 
0098 27 get_power_10 proc 
28 
00978 3D1200 29 cmp ax, 18 i Test for O <= ax ¢< 19 
009B 770F 30 ja out_of_range 
31 
0O9D 53 32 push bx i Get working index register 
QO9E SBDS 33 mov bx, ax i Form table index 
QOAO C1E303 34 shi bx.3 
OOAS 2EDDS870000 R 35 fld power_tableCbx] i Get exact valve 
OOAS SB 36 pop bx i Restore register value 
OOA9 D9OF4 37 fxtract i Separate power and fraction 
OOAB C3 38 ret i OK to leave fxtract running 
39? i 
40 ; Calculate the value using the exponentiate instruction. 
41 i The following relations are used: 
42 i 10##x = QHt(log2(10)#x) 
43 i Qte(I+F) = Qe] # Qeer 
44 i if st(1) = I and st(Q) = 2##F then fscale produces 2e#(I+F) 
45 i 
OOAC 46 out_of_range: 
. 47 > - 
OOAC DIE? : 48 Ffldlat i TOS = LOG2(10) 
OOAE C8040000 49 enter 4,0 i Format stack 
OOB2 8946FE ‘50 mov Chp-2], ax i Gave power of 10 value 
OOBS DE4EFE 31 fimul word ptr Cbhp-2] s TOS,X = LOG2(10)#P = LOG2(1O##P) 
OOB8 9BDY7EFC 52 fstcw word ptr Cbp-4) i Get current control word 
OOBC SB446FC 93 mov. ax, word ptr Cbp-4) + Get control word, no wait necessary 
OOBF 25FFF3 54 and ax, not OQCOOH ; Mask off current rounding field 
00C2 OD0004 35 or ax, O400H i Set round to negative infinity 
OOCS 8746FC 56 xchg ax,word ptr Cbhp-4J i Put new control word in memory 
97 i old control word is in ax 
0Oc8 DIES 58 fldil i Set TOS = -1.0 
OQOCA DIEO | ; 59 fchs ; 
oocc D9C1 60 fld st(1) i; Copy power value in base two 
OOCE D9G6EFC . é1 fidcw word ptr [Ebp-4] i Set new control word value 


Figure 4-6. Floating-Point to ASCII Conversion Routine (Cont’d.) 
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iAPX286 MACRO ASSEMBLER Calculate the value of 1O##ax : 12:11:08 09/25/83 PAGE 


LOC OBJ LINE SOURCE 


OOD! DIFC 62 frndint . > TOS = I: inf < I <= X, I is an integer 
OOD3 8944FC 63 mov word ptr Cbp-4],ax_ ; Restore original rounding control 
OODS DI6EFC 64 fidcw word ptr Cbp-4) 

OOD9 DICA 65 fxch st(2) ; TOS = X, ST¢1) = -1.0, ST(2) = I 
OODB DSE2 66 fsub st, st(2) ; TOS,F = xX-I: O <= TOS < 1.0 

OODD SB446FE 67 mov ax, Cbp-2] ; Restore power of ten 

OOEO D9FD 68 fscale 3 TOS = F/2: O <= TOS < 0.5 

OOE2 D9IFO 69 f2axmi . ) TOS = Qee(F/2) -~ 1.0 

OOE4 C9 leave ; Restore stack 

OOES DEE1 fsubr Form 2##(F/2) 

O0E7 DCCS8 fmul st,st(d) 3 Form Qe#F 


O0E9 C3 ret ; OK to leave fmul running 
get_power_10 endp 


code ends 
end 


ASSEMBLY COMPLETE, NO WARNINGS, NO ERRORS 


iAPX286 MACRO ASSEMBLER Determine TOS register contents 12:12:13 09/25/83 PAGE 


SERIES-III iAPX286 MACRO ASSEMBLER X108 ASSEMBLY OF MODULE TOS_STATUS 
OBJECT MODULE PLACED IN :F3: TOSST. OBU 
ASSEMBLER INVOKED BY: ASM286.86 :F3: TOSST. AP2 


LOC OBu | 


r 
4 
Zz 
m 


SOURCE 
S$title("Determine TOS register contents") 

This subroutine will return a value from 0-15 in AX corresponding 
to the contents of 80287 TOS. All registers are transparent and no 
errors are possible. The return value corresponds to c3.c2,c1l,cO 
of FXAM instruction. 


name tos status 


1 
2 
3 
4 
be] 
6 
7 
8 
9 


public tos_status 
stack stackseg 6 i) Allocate space on the stack 
code segment er public 
tos_status proc 


DIES fxam ; Get register contents status 
9BDFEO fstsw ax ; Get status 

BAC4 mov al. ah ; Put bit 10-8 into bits 2-0 
250740 and ax, 4007h ; Mask out bits ¢c3,c2,ci1,.cO 
COECO3 shr ah,3 Put bit ¢3 into bit 11 

CAC4 or al,ah ; Put c3 into bit 3 

B400 mov ah,O i; Clear return value 

c3 ret 


tos_ status endp 


code ends 
end 


ASSEMBLY COMPLETE, NO WARNINGS, NO ERRORS 


Figure 4-6. Floating-Point to ASCII Conversion Routine (Cont’d.) 


Function Partitioning 


Three separate modules implement the conversion. Most of the work of the conversion is done in the 
module FLOATING_TO_ASCII. The other modules are provided separately, because they have a 
more general use. One of them, GET_POWER_ 10, is also used by the ASCII to floating-point conver- 
sion routine. The other small module, TOS STATUS, will ene, what, if peayinine, 3 is in the top of 
the numeric register stack. _ 
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Exception Considerations 


Care is taken inside the function to avoid generating exceptions. Any possible numeric value will be 
accepted. The only exceptions possible would occur if insufficient space exists on the numeric register 
stack. 


The value passed in the numeric stack is checked for existence, type (NaN or infinity), and status 
(unnormal, denormal, zero, sign). The string size is tested for a minimum and maximum value. If the 
top of the register stack is empty, or the string size is too small, the function will return with an error 
code. 


Overflow and underflow is avoided inside the function for very large or very small numbers. 


Special Instructions 


The functions demonstrate the operation of several numeric instructions, different data types, and 
precision control. Shown are instructions for automatic conversion to BCD, calculating the value of 10 
raised to an integer value, establishing and maintaining concurrency, data synchronization, and use of 
directed rounding on the NPX. : 


Without the extended precision data type and built-in exponential function, the double precision accuracy 
of this function could not be attained with the size and speed of the shown example. 


The function relies on the numeric BCD data type for conversion from binary floating-point to decimal. 
It is not difficult to unpack the BCD digits into separate ASCII decimal digits. The major work involves 
scaling the floating-point value to the comparatively limited range of BCD values. To print a 9-digit 
result requires accurately scaling the given value to an integer between 10° and 10°. For example, the 
number +0.123456789 requires a scaling factor of 10° to produce the value +123456789.0, which 
can be stored in 9 BCD digits. The scale factor must be an exact power of 10 to avoid to changing any 
of the printed digit values. 


These routines should exactly convert all values exactly representable in decimal in the field size given. 
Integer values that fit in the given string size will not be scaled, but directly stored into the BCD form. 
Noninteger values exactly representable in decimal within the string size limits will also be exactly 
converted. For example, 0.125 is exactly representable in binary or decimal. To convert this floating- 
point value to decimal, the scaling factor will be 1000, resulting in 125. When scaling a value, the 
function must keep track of where the decimal point lies in the final decimal value. 


Description of Operation 


Converting a floating-point number to decimal ASCII takes three major steps: identifying the magni- 
tude of the number, scaling it for the BCD data type, and converting the BCD data type to a decimal 
ASCII string. 


Identifying the magnitude of the result requires finding the value X such that the number is repre- 
sented by I*10*, where 1.00 <= I < 10.0. Scaling the number requires multiplying it by a scaling 
factor 105, so that the result is an integer requiring no more decimal digits than provided for in the 
ASCII string. 


Once scaled, the numeric rounding modes and BCD conversion put the number in a form easy to 
convert to decimal ASCII by host software. 
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Implementing each of these three steps requires attention to detail. To begin with, not all floating-point 
values have a numeric meaning. Values such as infinity, indefinite, or Not a Number (NaN) may be 
encountered by the conversion routine. The conversion routine should recognize these values and identify 
them uniquely. . 


Special cases of numeric values also exist. Denormals, unnormals, and pseudo zero all have a numeric 
value but should be recognized, because all of them indicate that precision was lost during some earlier 
calculations. , 


Once it has been determined that the number has a numeric value, and it is normalized setting appro- 
priate unnormal flags, the value must be scaled to the BCD range. 


Scaling the Value 


To scale the number, its magnitude must be determined. It 1s sufficient to calculate the magnitude to 
an accuracy of | unit, or within a factor of 10 of the given value. After scaling the number, a check 
will be made to see if the result falls in the range expected. If not, the result can be adjusted one 
decimal order of magnitude up or down. The adjustment test after the scene is necessary due to 
inevitable inaccuracies in the scaling value. 


Because the magnitude estimate need only be close, a fast technique is used. The magnitude is estimated 
by multiplying the power of 2, the unbiased floating-point exponent, associated with the number by 
log,o2. Rounding the result to an integer will produce an estimate of sufficient accuracy. Ignoring the 
fraction vane can introduce a maximum error of 0.32 in the result. 


Using the magnitude of the value Aa size of the number string, the scaling fiat can be calculated. 
Calculating the scaling factor is the most inaccurate operation of the conversion process. The relation 
10*=2**(X*log,10) is used for this function. The exponentiate instruction (F2XM1) will be used. 


Due to restrictions on the range of values allowed by the F2XM_1 instruction, the power of 2 value will 
be split into integer and fraction components. The relation 2**(I + F) = 2**] * 2**F allows using 
the FSCALE instruction to recombine the 2**F value, calculated mueuen F2XM1, and the 2**] part. 


INACCURACY IN SCALING | oh ae | 


The inaccuracy of these operations arises because of the trailing zeros placed into the fraction value 
when stripping off the integer valued bits. For each integer valued bit in the power of 2 value separated 
from the fraction bits, one bit of precision is lost in the fraction field due to the zero fill occurring in 
the least significant bits. 


Up to 14 bits may be lost in the fraction because the largest allowed floating point exponent value is 
pA aooes 


AVOIDING UNDERFLOW AND OVERFLOW 


The fraction and exponent fields of the number are separated to avoid underflow and overflow in 
calculating the scaling values. For example, to scale 10~*” to 10° requires a scaling factor of 10*°°, 
which cannot be represented by the NPX. 7 | 


By separating the exponent and fraction, the scaling operation involves adding the exponents separate 


from multiplying the fractions. The. exponent arithmetic will involve small integers, all easily repre- 
sented by the NPX. | | | 


4-16 122164-001 


bad ® 
intel NUMERIC PROGRAMMING EXAMPLES 


FINAL ADJUSTMENTS 


It is possible that the power function (Get_Power_10) could produce a scaling value such that it forms 
a scaled result larger than the ASCII field could allow. For example, scaling 9.9999999999999999 X 
10*°°° by 1.00000000000000010 X 107488 would produce 1.00000000000000009 x 10'*. The scale 
factor is within the accuracy of the NPX and the result is within the conversion accuracy, but it cannot 
be represented in BCD format. This is why there is a post-scaling test on the magnitude of the result. 
The result can be multiplied or divided by 10, depending on whether the result was too small or too 
large, respectively. 


Output Format 


For maximum flexibility in output formats, the position of the decimal point is indicated by a binary 
integer called the power value. If the power value is zero, then the decimal point is assumed to be at 
the right of the rightmost digit. Power values greater than zero indicate how many trailing zeros are 
not shown. For each unit below zero, move the decimal point to the left in the string. 


The last step of the conversion is storing the result in BCD and indicating where the decimal point lies. 
The BCD string is then unpacked into ASCII decimal characters. The ASCII sign is set corresponding 
to the sign of the original value. 


TRIGONOMETRIC CALCULATION EXAMPLES 


The 80287 instruction set does not provide a complete set of trigonometric functions that can be used 
directly in calculations. Rather, the basic building blocks for implementing trigonometric functions are 
provided by the FPTAN and FPREM instructions. The example in figure 4-7 shows how three trigon- 
ometric functions (sine, cosine, and tangent) can be implementing using the 80287. All three functions 
accept a valid angle argument between —2° and +2°. These functions may be called from 
PL/M-286, Pascal-286, FORTRAN-286, or ASM286 routines. 


These trigonometric functions use the partial tangent instruction together with trigonometric identities 
to calculate the result. They are accurate to within 16 units of the low 4 bits of an extended precision 
value. The functions are coded for speed and small size, with tradeoffs available for greater accuracy. 


FPTAN and FPREM 


These trigonometric functions use the FPTAN instruction of the NPX. FPTAN requires that the angle 
argument be between 0 and 7/4 radians, 0 to 45 degrees. The FPREM instruction is used to reduce 
the argument down to this range. The low three quotient bits set by FPREM identify which octant the 
original angle was in. 


One FPREM instruction iteration can reduce angles of 10'* radians or less in magnitude to 7/4! Larger 


values can be reduced, but the meaning of the result is questionable, because any errors in the least 
significant bits of that value represent changes of 45 degrees or more in the reduced angle. 
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Cosine Uses Sine Code 


To save code space, the cosine function uses most of the sine function code. The relation sin (| Al + 
a/2) = cos(A) is used to convert the cosine argument into a sine argument. Adding 7/2 to the angle 
is performed by adding 010, to the FPREM quotient bits identifying the argument’s octant. | 


It would be very inaccurate to add z/2 to the cosine argument if it was very much different from 
m/2. 


Depending on which octant the argument falls in, a different relation will be used in the : sine and 
tangent functions. The program listings show which relations are used. 


For the tangent function, the ratio produced by FPTAN will be directly evaluated. The sine function 
will use either a sine or cosine relation depending on which octant the angle fell into. On exit, these 
functions will normally leave a divide instruction in progress to maintain concurrency. 


If the input angles are of a restricted range, such as from 0 to 45 degrees, then considerable optimiza- 
tion i 1s possible since full angle reduction and octant identification i is not necessary. 


All three functions begin by looking at the value given to them. Not a Number (NaN), infinity, or 
empty registers must be specially treated. Unnormals need to be converted to normal values before the 
FPTAN instruction will work correctly. Denormals will be converted to very small unnormals that do 


work correctly for the FPTAN instruction. The sign of the angle is saved to control the sign of the 
result. 


Within the functions, close attention was paid to maintain concurrent execution of the 80287 and host. 


The concurrent execution will effectively hide the execution time of the decision logic used in the 
program. 


iAPX286 MACRO ASSEMBLER 80287 Trignometric Functions 10:13:51 09/25/83 PAGE 1 


SERIES-II1 iAPX286 MACRO ASSEMBLER X108 ASSEMBLY OF MODULE TRIG_FUNCTIONS 
OBJECT MODULE PLACED IN :F3: TRIG. OBJ 
ASSEMBLER INVOKED BY: ASM286. 86 :F3: TRIG. AP2 


Loc OBU 


r 
a 
Zz 
m 


SOURCE 
$title("80287 Trignometric Functions”) 


name trig functions 
public sine, cosine, tangent 


stackseg 6 3 Reserve local space 


1 
2 
3 
4 
5 
& 
7 
8 
9 


record resi: 1,cond3: 1, top: 3, cond2: 1,cond1:1,cond0: 1, 
res2: 8 


segment er public 


Define local constants. 


even . 
0000 35C26821A2DA0F pi_quarter dt SFFECIOFDAAZ2168C235R i PI/4 
C9OFESF 


OO0A COOOCOFF indefinite dd OFFCOOOOOR i Indefinite special value 
; $e yect . 


Figure 4-7. Calculating Trigonometric Functions 
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Loc 


O00E 


OOOE 
0010 


0012 


0013 


0013 
0016 


0018 


0018 
OO1A 
oo1D 
0022 
0024 
0025 


0027 
0029 


Q02B 
002D 


OBJ 


DDD? 
7501 


C3 


E80901 
EB2F 


DIES 
9BDFEO 
2EDB2E0000 
B101 
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LINE SOURCE 
19 i 
20 i This subroutine calculates the sine or cosine of the angle, given in 
ai i radians. The angle is in ST(O), the returned value will be in ST(O). 
22 i The result is accurate to within 7 units of the least significant three 
23 } bits of the NPX extended real format. The PLM/B6 definition is: 
24 i 
23 i sine: procedure (angle) real external; 
26 } declare angle real; 
27 H end sine: 
28 i 
29 i cosine: procedure (angle) real external), 
30 i declare angle real; 
ai j end cosine: 
32 i 
33 j Three stack registers are required. The result of the function is 
34 i defined as follows for the following arguments: 
35 H 
36 j angle result 
37 i 
38 ; valid or unnormal less than 2##62 in magnitude correct value 
39 i zero O or 1 
40 i denormal correct denormal 
41 i valid or unnormal greater than 2##*62 indefinite 
42 i infinity indefinite 
43 i NAN NAN 
44 i empty empty 
45 +1 Seyect 
46 i 
47 i This function is based on the NPX fptan instruction. The fptan 
48 ; instruction will only work with an angle of from O to PI/4. With this 
49 i instruction, the sine or cosine of angles from 0 to PI/4 can be accurately 
50 i calculated. The technique used by this routine can calculate a general 
Si i sine or cosine by using one of four possible operations: 
92 ; 
33 i Let R = tangle mod PI/4} 
54 i S = -1 or 1. according to the sign of the angle 
95 i 
36 i 1) sin (R) 2) cos (R) 3) sin(PI/4-R) 4) cos(PI/4-R) 
57 i 
58 i The choice of the relation and the sign of the result follows the 
59 i decision table shown below based on the octant the angle falls in: 
60 ; 
61 i octant sine cosine 
62 ; 
63 i fe] S*1i 2 
64 i 1 S*4 3 
65 ; 2 S*2 itt 
66 i 3 S#*3 —1#4 
67 i 4 -S#1 -1#2 
68 i 5 —-S#4 —1#3 
69 i & -S#2 1 
70 i 7 -S#3 4 
71 i 
72 +1 Seyect 
73 i 
74 i Angle to sine function is a zero or unnormal 
73 i 
76 sine_zero_unnormal: 
77 
78 fstp st (1) i Remove PI/4 
79 jnz enter_sine_normalize i; Jump if angle is unnormal 
80 i 
81 i Angle is a zero. 
82 i 
83 ret 
84 i 
85 i Angie is an unnormal. 
84 ; 
@7 enter_sine_normalize: 
68 
89 call normalize_valvue 
90 Jmp short enter_sine 
91 
92 cosine proc i Entry point to cosine 
93 
94 fxam i Look at the value 
95 fstsw ax s Store status value 
R 96 Fld pi_quarter i Setup for angle reduce 
97 mov cl,1 + Signal cosine function 
98 sahf + ZF = Ca, PF = C2, CF = CO 
99 Jc funny _parameter i Jump if parameter is 
100 + empty, NAN, or infinity 
101 i 
102 i Angle is unnormal, normal, zero, denormal. 
103 i 
104 fxch + st¢(O) = angle, sti) = PI/4 
105 Jpe enter_sine i Jump if normal or denormal 
106 i 
107 3 Angle is an unnormal or zero. 
108 i 
109 fstp st(1) + Remove PI/4 
110 gnz enter_sine_normalize 
111 i 
112 i Angle is a zero. cos(O) = 1.0 


Figure 4-7. Calculating Trigonometric Functions (Cont’d.) 
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LOC 6 OBV LINE SOURCE 
113 i 
O02F DDDS 114 fstp st(O) + Remove O 
0031 D9ES 115 fldi i Return 1 
0033 C3 116 ret 
‘117 i 
118 i All work is done as a sine function. By adding PI/2 to the angle 
119 i a cosine is converted to a sine. Of course the angle addition is not 
120 i done to the argument but rather to the program logic control values. 
121 i 
0034 122 sine: i Entry point for sine function 
123 
0034 D9ES 124 fxam i Look at the parameter 
0036 9BDFEO 125 fstsw ax i Look at fxam status 
0039 2EDB2E0000 R 126 fld pi_quarter i Get PI/4 value 
OOSE 9E 127 sahf ; CF = CO, PF = C2, ZF = C3 
OO3SF 7249 128 Jc funny _parameter s Jump if empty, NAN, or infinity 
129 j 
130 i Angle is unnormal, normal, zero, or denormal 
131 i 
0041 D9C9 132 fxch i ST(1) = PI/4, st(O) angle 
0043 B100 133 mov c1,0 i Signal sine 
0045 7BC7 134 Jpo sine_zero_unnormal i Jump if zero or unnormal 
135 ; 
136 i ST(O) is either a normal or denormal value. Both will work. 
137 i Use the fprem instruction to accurately reduce the range of the given 
138 ; angle to within O and PI/4 in magnitude. Tf fprem cannot reduce the 
139 i angle in one shot, the angle is too big to be meaningful, > 2##62 
140 i radians. Any roundoff error in the calculation of the angle given 
141 i could completely change the result of this function. It is safest to 
142 i call this very rare case an error. 
143 i 
0047 144 enter_sine: 
0047 D9OFB 145 fprem i Reduce angle 
146 i Note that fprem will force a 
147 ; denormal to a very small unnormal 
148 i; Fptan of a very small unnormal 
149 i will be the same very small 
150 + unnormal, which is correct. 
0049 93 151 xchg ax,bx i Save old status in BX 
004A 9SBDFEO 152 fstsu ax is Check if reduction was complete 
/ 153 —C ; Quotient in CO,C3,C1 
004D 93 154 xchg . ax, bx i; Put new status in bx 
OO4E F4C704. 155 test bh,high(mask cond2) i sin(2Q#N#PI+x) = sin (x) 
0051 7544 156 © gnz angle_too_big 
157 i 
158 i Set sign flags and test for which eighth of the revolution the 
159 i angle fell into 
160 i 
161 ; Assert: -PI/4 < st(O) < PI/4 
162 i 
0053 D9E1 163 fabs Force the argument positive 


164 i condi bit in bx holds the sign 
i 


0055 OAC9 165 or cl.cl Test for sine or cosine function 
0057 740F 146 §z sine_select Jump if sine function 
167 i 
168 i This is a cosine function. Ignore the original sign of the angle 
169 i and add a quarter revolution to the octant id from the fprem instruction 
170 j costA) = sin(AtPI/2) and cos(iA!l) = cos(A) 
171 j 
0059 S0E4FD 172 and ah, not high(mask cond1) i Turn off sign of argument 
OOSC S80CFEBO 173 or bh. BOH i Prepare to add 010 to CO,C3,C1 
174 i status value in ax 
175 ; Get busy bit so carry out from 
OOSF 80C740 176 add bh-high(mask cond3) i C3 will go into the carry flag 
0062 B000 177 mov 41,0 i Extract carry flag 
0064 DODO 178 rel al,t i Put catry flag in low bit 
0066 32F8 179 xor bh,al i Add catry to CO not changing 
180 i C1 flag 
181 ; 
182 i See if the argument should be reversed, depending on the octant in 
183 i which the argument fell during fprem. 
184 i 
0048 185 sine_select: 
: 186 
0068 F6C702 ; 187 test bh,high({mask condl) + Reverse angle if C1 = 1 
OO6B 7404 188 Jz no_sine_reverse 
189 i 
190 i Angle was in octants 1,3,5,7 
191 i 
O06D DEE? 192 fsub. i Invert sense of rotation 
OO6F EBOE 193 mp short do_sine_fptan i O < arg <= PI/4 
194 i 
195 i Angle was in octants 0,2,4,4. 
196 ad Test for a zero argument since fptan will not work if st(O) = 0 
197 i 
oo71 198 no_sine_reverse: 
199 © 
0071 D9E4 - 200 ftst > Test for zero angle 
0073 91 : 201. xchg ax, cx 
0074 9BDFEO 202 fstsw ax + condg = 1 if st(o) = 0 
0077 91 203 xchg ax, cx 
0078 DDD9 204 fstp ~stl) ; i Remove P1I/4 
007A F&C540 » 205 test chs high(mask cond3) i If C3=1, argument is zero 
007D 7514 206 ynz sine_argument_zero 


Figure 4-7. Calculating Trigonometric Functions (Cont’d.) 
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LOC 


OO7F 
OO7F 
0081 


0081 
0084 


0086 
0088 


OO8A 


OO8A 
o0osc 


OO8E 


0090 


0092 
0092 


0092 


0093 


0093 
0095 


0097 


0097 
0099 
OO9E 
OO9F 


O0AO 


00A0 
00A2 


00A4 


00A4 
00AG 
0OA8 
OOAA 
OOAC 


OOAE 
0OB1 
OOB4 
OOBS 


0OB8 
OOBA 


OOBA 
OOBC 


OBJ 


D9F2 


F4C742 
7BIA 


D9C1 
EBIA 


DDDS 
7404 


7B02 


DIFS 


c3 


DIES 
EBEA 


DED? 
2EDI0460A00 
9B 

C3 


D9CO 
D9CA 


DCccs 
D9C9? 
bccs 
DEC! 
DOFA 


BOE7O1 
B0E402 
OAFC 
7A02 


DIEO 


DEF9? 
C3 


LINE 


207 
208 
209 
210 
211 
212 
213 
214 
215 
216 
217 
218 
219 
220 
221 
222 
223 
224 
225 
226 
227 
228 
229 
230 
231 
232 
233 
234 
235 
236 
237 
238 
239 
240 
241 
242 
243 
244 
245 
246 
247 
248 
249 
250 
251 
252 
253 
254 
255 
256 
257 
R 258 
259 
260 
261 
262 
263 
264 
265 
266 
267 
268 
269 
270 
271 
272 
273 
274 
275 
276 
277 
278 
279 
280 
281 
282 
283 
284 


285 | 


286 
287 
288 
289 
290 
291 
292 
293 
294 
295 
296 
297 

298 

299 
300 


+1 


SOURCE 


i 
i 
3 


80287 Trignometric Functions 


Assert: O < st(O) <= PI/4 


do_sine_fptan: 


fptan 


after_sine_fptan: 


test 
Jpo X_ numerator 


Calculate the sine of the argument 
sin(A) = tan(A)/sqrt(ittan (A) ##2) 


sin(A) = Y/sqrt(xX#xX + Y#HY) 


fld st (1) 
ymp short finish_sine 


The top of the stack is either NAN, 


funny parameter: 


fstp st (0) 
jz return_empty 
Jpo. return_NAN 


st(O) is infinity. 


fprem 


return_NAN: 
return_empty: 


i 
i 


ret 


Simulate fptan with st(0) = 0 


sine_argument_zero: 


i 
i 
i 
3 
a 


fldi 
ymp after_sine_fptan 


The angle was too large. 


Ngle_too_big: 


fcompp 

fld indefinite 
fuait ; 

ret 


Calculate the cosine of the argument. 
if tan(A) = Y/X. then 


i cosl(A) = i/sqrt(ittan(A) ##2) 
i costA) = X/sqrt(X#X + Y#Y) 
‘X_numerator: 
fld st (0) 
fxch st(2) 
_ finish sine: 
fmul st,st(0) 
fxch 
fmul st. st(0) 
fadd 
fFsqrt 


Form the sign of the result. 


FXAM in bh and the CO flag from fprem in 


and bh,high(mask condQ) 
and ah, high{(mask condi) 
or bh, ah 

jpe positive sine 

fchs 


positive_sine: 


cosine 
$e yect 


i 
i 
i 
i 


fdiv 


bh, high(mask cond3 + mask cond!)i 


infinity, 


“jy Jump if st (0) 


Remove the 
stack and return an indefinite result. 


10:13: 51 


+ TAN ST(O) = ST(1)/ST(O) = Y/X 


i Calculate cosine for octants 
i 1,2,5,6— 


if tan(A) = Y/X then 
+ Copy Y value 


+; Put Y value in numerator 


or empty. 


+ Remove PI/4 


i Return empty if no parm 


is NAN 


Return an indefinite valve. 


+ ST¢(1) can be anything 


i Ok to leave fprem running 


i Simulate tan(0) 
i Return the zero value 


modulus and dividend from the 


+ Pop two values from the stack 
i; Return indefinite 
i Wait for load to finish 


i Copy X value 
i Put X in numerator 


i Form X#X + YHY 


“XHX + VRY 
SQrtcx#X + Y#Y) 


i 5t(0) 
i 8t(O) 


tt. il 


The two conditions are the C1 flag from 


ah. 


Look at the fprem CO flag 
Look at the fxam Ci flag 

Even number of flags cancel 
Two negatives make a positive 


i Force result negative 


i Form final result 


i Ok to leave fdiv running 


Tet 
endp 

This function will calculate the tangent of an angle. 
The angle, in radians is passed in ST(O), 


in ST(O). 


the tangent is returned 


The tangent is calculated to an accuracy of 4 units in the. 


Figure 4-7. Calculating Trigonometric Functions (Cont’d.) 
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LOC OBU 


OOBD 


OOBD 
OOBF 


00C2 2EDB2ZE0000 


00C7 
00cs 


OOCA 
oocc 


OOCE 
OOCcE 


OODO 
o00oD1 


OOD4 


OODS 
OOD8 


OODA 


OODC 
OODF 


OCE1 
OOES 


OOES 


OOES 
OOE7 


D9ES 
SBDFEO 


9E 
72C0 


D9C9 
7A17 


D9OFB 


93 
9BDFEO 


93 


F6C704 
75BD 


D9E1 


F6C702 
740E 


DEE? 
EBi8 


DDD? 
7405 


LINE 


301 
302 
303 
304 
305 
306 
307 
308 
309 
310 
311 
312 
313 
314 
B15 
316 
317 
318 
319 
320 
321 
322 
323 
324 
325 
326 


327 


328 
329 
330 
331 
332 
333 
334 
335 
336 
3937 
338 
339 
340 
341 
342 
343 
344 
345 
346 
R 347 
348 
349 
350 
351 


352 
353 
354 
355 
356 


357, 
358 


359 
360 
361 
362 
343 
364 
365 
366 
367 
368 
369 
370 
371 
372 
373 
374 
375 
376 
377 
378 
379 
380 
381 
382 
383 
384 
385 
386 
387 
388 
389 
390 
391 
392 
393 
394 


395° 
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SOURCE 
3 least three significant bits of an extended real format number. The 
i PLM/86 calling format is: 
i tangent: procedure (angle) real external; 
i declare angle real; 
; end tangent; 
i Two stack registers are used. The result of the tangent function is 
F defined for the following cases: ‘ 
j 
i angle result 
i valid or unnormal < 2##62 in magnitude correct valve 
i 0 0 
i _denormal correct denormal 
i valid or. unnormal > 2##62 in magnitude. indefinite 
i NAN NAN 
i infinity indefinite 
F empty empty 
i The tangent instruction uses the fptan instruction. Four possible 
i ‘Telations are used: 
i Let R = tangle MOD PI/4i 
i S = -1 or 1 depending on the sign of the angle 
i 1) tan(R) 2) tan(PI/4-R) 3) 1/tan(R) 4) 1/tan(PI/4-R) 
U : 
i The following table is used to decide which relation to use depending 
3 on in which octant the angle fell. 
i octant relation 
4 
i ie) S#1 
i 1 S#4 
j 2 -S#3 
i 3 -St2 
i 4 S*1 
i 5 S¥4 
i .~] -S#3 
i 7 -S#2 
tangent proc 
fxam s Look at the parameter 
fstsw ax i Get fxam status 
fld pi_quarter s Get PI/4 
sahf ‘ i CF = CO, PF = C2, ZF = C3 
ye funny_parameter 


; Angle is unnormal, normal, 


fxch . — i 
Jpe tan_zero_unnormal 


Angle is either an normal or denormal. 
If fprem cannot perform this operation in 


angle must be > 2*62. 
errors could make a very large difference 


an_normal: 

fprem ; 
i 

xchg ax, bx 

fstsw ax i 

xchg ax, bx 

test bh, high(mask cond2) ; 

ynz angle_too_big i 


See if the angle must be reversed. 


‘Assert: -PI/4 < st(0) < PI/4 


or 


fabs i 
i 
test bh» high(mask condi) i 
Jz no_tan_reverse 
i Angle fell in octants 1,3,5, 7. Reverse 
fsub i 
Jmp short do_tangent 


; 


i Angle is either zero or an unnormal. 
; 
tan_zero_unnormal: 


fstp st(1) i 
JZ tan_angle_zero 


i Angle is an unnormal. 


zero, or denotrmal. 


st(O) = angle, st(1) = PI/4 


Reduce the angle to the range ~PI/4 < result < PI/4. 


one try, the magnitude of the 


Such an angle is so large that any rounding 


in the reduced angle. 


It is safest to call this very rare case an error. 


Quotient in CO,C3,C1 
Convert denormals into unnormals 


Quotient identifies octant 
original angle fell into 


Test for complete reduction 
Exit if angle was too big 


0 <= st(O) < PI/4 
C3 in bx has the sign flag 
must be reversed 


it, subtract it from PI/4. 


Reverse angle 


Remove PI/4 


Figure 4-7. Calculating Trigonometric Functions (Cont’d.) 
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Loc 


OOE9 
OOEC 


OOEE 


OOEE 


OOEF 


OOEF 
OOF 1 
OOF2 
OOFS 
OOFG 
OOF8 
OOFB 


OOFD 
OOFD 


OOFF 


OOFF 
0101 


0104 


0107 


0109 
010B 


010D 
O10F 


O10F 
011i 


Olle 


Oil2 
0114 


0116 


0116 
0118 


O11LA 
o1ic 


011C 
O11E 


O11F 


O11F 
0121 
0123 
0125 
0127 
0129 
012B 
012D 
0132 
0134 


ASSEMBLY COMPLETE, 


OBU 


E83300 
EBEO 


C3 


DIE4 
91 
9BDFEO 
91 
DDD9 
F6C540 
7515 


D9F2 


8AC7 
254002 


F6C742 


7BOD 


OAC4 
7A02 


DEO 


DEF? 
c3 


D9ES8 
EBE9 


D9Et 

DOF4 

D9ES 

pcci 

DEE? 

D9OFD 

DDD? 
2EDB2E0000 
DIC9 

C3 


LINE 


396 
397 
398 
399 
400 
401 
402 
403 
404 
405 
406 


407 
408 
409 
410 
411 
412 
413 
414 
415 
416 
417 
418 
419 
420 
421 
422 
423 
424 
425 
426 
427 
428 
429 
430 
431 
492 
433 
434 
435 
436 
437 
438 
439 
440 
441 
442 
443 
444 
445 
446 
447 
448 
449 
450 
451 
452 
453 
454 
455 
456 
457 
458 
459 
460 
461 
462 
463 
464 
465 
466 
467 
468 
469 
470 
471 
472 
473 
474 
475 
476 
477 
478 
479 
R 480 
491 
482 
483 
484 
485 


NO WARNINGS, 


SOURCE 


call 
ymp 


tan_angle_zero: 


i 


ret 


Angle 


no_tan_reverse: 


ftst 
xchg 
fstsw 
xchg 
fstp 
test 
gnz 


do_tangent: 


fp tan 


after _ tangent: 


i 
i 
i 
i 


positive_divide: 


80287 Trignometric Functions 


normalize_valvue 
tan_normal 


fell in octants 0,2,4, 6. 


ax, Cx 

ax 

ax, cx 

st (i) 

ch,high(mask cond3) 
tan_zero 


Test for st(O0) = O& Ffptan won’t work. 


Decide on the order of the operands and 
operation while the fptan instruction is 


mov 
and 


test 


Jpo 


al,bh 
ax,mask condi + high(mask 


bh, high (mask condl + mask 


reverse_divide 


Angle was in octants 0,3,4,7. 
Test for the sign of the result. 


or 
Jpe 


fchs 


fdiv 
ret 


tan_zero: 


i 
i 
i 
i 
reverse _ divide: 


fldi 
Jmp 


al,ah 
positive_divide 


after_tangent 


Angle was in octants 1,2,5,6 
Set the correct sign of the result. 


or 
spe 


fchs 


al, ah 
positive_r_divide 


positive_r_divide: 


fdivr 
ret 


tangent endp 


i 
i 
i 


i 


normalize _value: 


code 


cond3); 
cond3)i 


; 


Two neg 


; 


; 


This function will normalize the value 
Then PI/4 is placed into st(1). 


fabs 
fxtract 
Fidl 
fadd 
fsub 
fscale 
fstp 
Fld 
fxch 
ret 


ends 
end 


NO ERRORS 


st(1),s5t 


st(1) 
pi_quarter 


er ee eo] 


10:13:51 09/25/83 PAGE 6 


Test for zero angle 
C3 = 1 if st(O) = 0 


Remove PI/4 


tan ST(O) = ST(1)/ST(O) 


their sign for the divide 
working. 


Get a copy of fprem C3 flag 

Examine fprem C3 flag and 

FXAM C1 flag 

Use reverse divide if in 
octants 1,2,5,6 

Note! parity works on low 
8 bits only! 


atives cancel, 


Force result negative 


Form result 
Ok to leave fdiv running 


Force 1/0 = tan(PI/2) 


Force result negative 


Form reciprocal of result 
Ok to leave fdiv running 


in st(0O). 


Force value positive 

O <= st(0) <1 

Get normalize bit 
Normalize fraction 
Restore original valve 


Form original normalized value 


Remove scale factor 
Get PI/4 


Figure 4-7. Calculating Trigonometric Functions (Cont’d.) 
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APPENDIX A 
MACHINE INSTRUCTION ENCODING AND DECODING 


Machine instructions for the 80287 come in one of five different forms as shown in table A-1. In all 
cases, the instructions are at least two bytes long and begin with the bit pattern 11011B, which identi- 
fies the ESCAPE class of instructions. Instructions that reference memory operands are encoded much 
like similar CPU instructions, because all of the CPU memory-addressing modes may be used with 
ESCAPE instructions. 


Note that several of the processor control instructions (see table 2-11 in Chapter Two) may be preceded 
by an assembler-generated CPU WAIT instruction (encoding: 10011011B) if they are programmed 
using the WAIT form of their mnemonics. The ASM286 assembler inserts a WAIT instruction only 
before these specific processor control instructions—all of the numeric instructions are automatically 
synchronized by the 80286 CPU and an explicit WAIT instruction, though allowed, is not necessary. 


Table A-1. 80287 Instruction Encoding 


Lower-Addressed Byte Higher-Addressed Byte O, 1, or 2 bytes 


Pe afore [fom [Tore [an [oscone 
Peat cen rt ae te 
CO Food a a 

soso sfofofatttsfs} or 
pooh EE hp 
7 6 5 43 2407 6 & 43.2% 0~— 
NOTES: 


Memory transfers, including applicable processor control instructions; 0, 1, or 2 displacement bytes may 
follow. 


(1) 


(2) 


(3) 
(4) 


(5) 


Memory arithmetic and comparison instructions; 0, 1, or 2 displacement bytes may follow. 
Stack arithmetic and comparison instructions. | 
Constant, transcendental, some arithmetic instructions. 

-©Processor control instructions that do not reference memory. 

OP, OP-A, OP-B: Instruction opcode, possibly split into two fields. 

MOD: Same as 80286 CPU mode field. 

R/M: Same as 80286 CPU register/memory field. 


FORMAT: Defines memory operene 
00 = short real 
01 = short integer 
10 = long real 
11 = word integer 


R: 0 = return result to stack top 
1 = return result to other register 


lil 


P: 0 = do not pop stack 
1 = pop stack after operation 
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REG: register stack element 
000 = stack top 
001 = next on stack 
010 = third stack element, etc. 


Table A-2 lists all 80287 machine instructions in binary sequence. This table may be used to “‘disassem- 
ble” instructions in unformatted memory dumps or instructions monitored from the data bus. Users 
writing exception handlers may also find this information useful to identify the offending instruction. 


Table A-2. Machine Instruction Decoding Guide 


a 1st Byte 
| ASM286 Instruction 


engpyte Format 


Bytes 3, 4 


(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 


(disp-lo),(disp-hi) _ 


(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 


(disp-lo),(disp-hi) 


(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
_(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 


FADD 
FMUL 
FCOM 


‘FCOMP | 


FSUB_ 
FSUBR 
FDIV 
FDIVR 
FADD 
FMUL 
FCOM 
FCOMP 
FSUB 
FSUBR 
FDIV 
FDIVR 
FLD 
reserved 


reserved 
reserved 
reserved 
*(1) 
FCHS 
FABS 


reserved — 


FTST 
FXAM 
reserved 
FLD1 


FLDL2T 


FLDL2E 
FLDPI 
FLDLG2 


short-real 
short-real 
short-real 
short-real 
short-real 
short-real 
short-real 
short-real 
ST,ST(i) 
ST,ST(i) 
ST(i) | 
ST(i) 
ST,ST(i) 
ST,ST(i) 
ST,ST(i) 
ST,ST(i) 
short-real 


short-real 
short-real 
14-bytes 
2-bytes 
14-bytes 
2-bytes 
ST(i) 
ST(i) 
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Table A-2. Machine Instruction Decoding Guide (Cont’d.) 


| st Byte | st Byte 


ASM286 Instruction 
Format 


FLDLN2 
FLDZ 

reserved 

F2XM1 

FYL2X 

FPTAN 

FPATAN 

FXTRACT 

reserved 

FDECSTP 

FINCSTP 

FPREM 

FYL2XP1 

FSQRT 

~ reserved 

FRNDINT 

FSCALE 

reserved 

FIADD short-integer 
FIMUL ___ short-integer — 
FICOM short-integer 
FICOMP _ short-integer 
FISUB short-integer : 
FISUBR short-integer 
FIDIV short-integer 
FIDIVR short-integer 
reserved 


(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 


- (disp-lo),(disp-hi) FILD short-integer 
(disp-lo),(disp-hi) _ reserved . 
(disp-lo),(disp-hi) FIST '  short-integer 
(disp-lo),(disp-hi) FISTP short-integer 
(disp-lo),(disp-hi) reserved | | 
(disp-lo),(disp-hi) FLD temp-real 
(disp-lo),(disp-hi) reserved 
(disp-lo),(disp-hi) FSTP temp- -real 

reserved 


reserved (8087 FEN!) 
reserved (8087 FDISI) 


FCLEX 

FINIT 

FSETPM 

reserved 

reserved 
(disp-lo),(disp-hi) FADD © long-real 
(disp-lo),(disp-hi) FMUL long-real 
(disp-lo),(disp-hi) FCOM long-real 
(disp-lo),(disp-hi) FCOMP long-real 
(disp-lo),(disp-hi) FSUB long-real 
(disp-lo),(disp-hi) FSUBR long-real 
(disp-lo),(disp-hi) FDIV long-real 
(disp-lo),(disp-hi) FDIVR long-real 

FADD ST(i),ST 


FMUL ST(i), ST 
*(2) _ 
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tet Byte tet Byte 


2nd Byte Bytes 3, 4 


(disp-lo),(disp-hi) 


(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 


(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 

(disp-lo),(disp-hi) 

(disp-lo),(disp-hi) — 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 


(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
_ (disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
(disp-lo),(disp-hi) 
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*(3) 
FSUB 
FSUBR 
FDIV 
FDIVR 
FLD 


reserved | 


- reserved 


FSAVE 
FSTSW 
FFREE 
ay 
FST 
FSTP 


_ reserved 


FIADD. 
FIMUL 


FICOM 


FICOMP 
FISUB 


FISUBR © 


FIDIV | 
FIDIVR 
FADDP 


- FMULP 


*(9) 


~ reserved 


FCOMPP 
reserved 


reserved - 


FSUBP 
FSUBRP 
FDIVP 


FDIVRP | 


FILD 
reserved 
FIST 


_ FISTP 


FBLD 
FILD 
FBSTP 
FISTP 
*(6) 
“(7) 
“(8) 


9) 
FSTSW AX 
reserved 


- ASM286 Instruction 
Format 


ST(i),ST 
ST(i),ST 
ST(i),ST 
ST(i),ST 
long-real 


long-real 
long-real 
94-bytes 


94-bytes 
2-bytes 
ST(i) 


ST(i) 
ST(i) 


word-integer 
word-integer 


- word-integer 


word-integer 
word-integer 
word-integer 
word-integer 
word-integer 


 ST(i), ST 


ST(i),ST 


ST(i), ST 
ST(i),ST 


~ ST(i),ST 


ST(i),ST 


~ word-integer 


' word-integer 


word-integer 


. packed-decimal 


long-integer 
packed-decimal 
long-integer | 
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NOTE: 


* The marked encodings are not generated by the language translators. If, however, the 80287 encounters 
one of these encodings in the instruction stream, it will execute it as follows: 


(1) FSTP ST(i) 

2) FCOM STi) 

3) FCOMP_ ST(i) 

4) FXCH ST(i) 

5) FCOMP ST(i) 

6) FFREE ST(i) and pop stack 
7) FXCH ST(i) 

(8) FSTP ST(i) 

(9) FSTP ST(i) 


( 
( 
( 
( 
( 
( 
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APPENDIX B 
COMPATIBILITY BETWEEN 
THE 80287 NPX AND THE 8087 


The iAPX 286/20 operating in Real-Address mode will execute iAPX 86/20 programs without major 
modification. However, because of differences in the handling of numeric exceptions by the 80287 
NPX and the 8087 NPX, exception-handling routines may need to be changed. 


This appendix summarizes the differences between the 80287 NPX and the 8087 NPX, and provides 
details showing how iAPX 86/20 programs can be ported to the iAPX 286/20. 


1. 


The NPX signals exceptions through a dedicated ERROR line to the 80286. The NPX error 
signal does not pass through an interrupt controller (the 8087 INT signal does). Therefore, any 
interrupt-controller-oriented instructions in numeric exception handlers for the iAPX 86/20 should 
be deleted. | 


. The 8087 instructions FENI/FNENI and FDISI/FNDISI perform no useful function in the 80287. 


If the 80287 encounters one of these opcodes in its instruction stream, the instruction will effec- 
tively be ignored—none of the 80287 internal states will be updated. While iAPX 86/20 code 
containing these instructions may be executed on the iAPX 286/20, it is unlikely that the excep- 
tion-handling routines containing these instructions will be completely portable to the 80287. 


Interrupt vector 16 must point to the numeric exception handling routine. 


The ESC instruction address saved in the 80287 includes any leading prefixes before the ESC 
opcode. The corresponding address saved in the 8087 does not include leading prefixes. 


In Protected-Address mode, the format of the 80287’s saved instruction and address pointers is 
different than for the 8087. The instruction opcode is not saved in Protected mode—exception 
handlers will have to retrieve the opcode from memory if needed. 


. Interrupt 7 will occur in the 80286 when executing ESC instructions with either TS (task switched) 


or EM (emulation) of the 80286 MSW set (TS=1 or EM=1). If TS is set, then a WAIT instruc- 
tion will also cause interrupt 7. An exception handler should be included in iAPX 286/20 code to 
handle these situations. 


Interrupt 9 will occur if the second or subsequent words of a floating-point operand fall outside a 
segment’s size. Interrupt 13 will occur if the starting address of a numeric operand falls outside a 
segment’s size. An exception handler should be included in iAPX 286/20 code to report these 
programming errors. 


Except for the processor control instructions, all of the 80287 numeric instructions are automati- 
cally synchronized by the 80286 CPU—the 80286 automatically tests the BUSY line from the 
80287 to ensure that the 80287 has completed its previous instruction before executing the next 
ESC instruction. No explicit WAIT instructions are required to assure this synchronization. For 
the 8087 used with iAPX 86 and iAPX 88 processors, explicit WAITs are required before each 
numeric instruction to ensure synchronization. Although iAPX 86/20 programs having explicit 
WAIT instructions will execute perfectly on the iAPX 286/20 without reassembly, these WAIT 
instructions are unnecessary. 


Since the 80287 does not require WAIT instructions before each numeric instruction, the ASM286 
assembler does not automatically generate these WAIT instructions. The ASM86 assembler, 
however, automatically precedes every ESC instruction with a WAIT instruction. Although numeric 
routines generated using the ASM86 assembler will generally execute correctly on the iAPX 286/ 
20, reassembly using ASM286 may result in a more compact code image. 


The processor control instructions for the 80287 may be coded using either a WAIT or No-WAIT 
form of mnemonic. The WAIT forms of these instructions cause ASM286 to precede the ESC 
instruction with a CPU WAIT instruction, in the identical manner as does ASM86. 
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10. A recommended way to detect the presence of an 80287 in an iAPX 286 system (or an 8087 in an 
iAPX 86 system) is shown below. It assumes that the sytem hardware causes the data bus to be 
high if no 80287 is present to drive the data. lines during the FSTSW (Store 80287 Status Word) 


instruction. 
FND 287: FNINIT y initialize numeric processor. 
3 FSTSTW STAT ; Store status word into location 
: STAT. | 
MOV AX,STAT 
OR AL,AL ; Zero Flag reflects result of OR. 
JZ G0T_287 - Zero in AL means 80287 is 
; present. 
; No 80287 Present 
SMSW A X | 
OR AX,0004H * set EM bit in Machine Status 
; Word. 
LMSW -  ~=6AX * to enable software emulation of 
. 4 | - 287, 
JMP - CONTINUE 
80287 is present in system 
GOT_287: SMSW AX | | | 
OR AX,0002H * set MP bit in Machine Status Word 
LMSW Ax ; to permit normal 80287 operation 
. Continue 
CONTINUE: ; and off we go 


An 80286/80287 design must place a pullup resistor on one of the low eight data bus bits of the 
80286 to be sure it is read as a high when no 80287 is present. | 
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APPENDIX C 
IMPLEMENTING THE IEEE P754 STANDARD 


The iAPX 286/20 computing system, containing the 80287 NPX and standard support library software, 
provides an implementation of the IEEE “‘A Proposed Standard for Binary Floating-Point Arithmetic,” 
Draft 10.0, Task P754, of December 2, 1982. The 80287 Support Library, described in 80287 Support 
Library Reference Manual, Order Number 122129, is an example of such a support library. 


This appendix describes the relationship between the 80287 NPX and the IEEE Standard. Where the 
Standard has options, Intel’s choices in implementing the 80287 are described. Where portions of the 
Standard are implemented through software, this appendix indicates which modules of the 80287 
Support Library implement the Standard. Where special software in addition to the Support Library 
may be required by your application, this appendix indicates how to write this software. 


This appendix contains many terms with precise technical meanings, specified in the 754 Standard. 
Where these terms are used, they have been capitalized to emphasize the precision of their meanings. 
The Glossary provides the definitions for all capitalized phrases in this appendix. 


OPTIONS IMPLEMENTED IN THE 80287 


The 80287 SHORT_REAL and LONG_REAL formats conform precisely to the Standard’s Single 
and Double Floating-Point Numbers, respectively. The 80287 TEMP_REAL format is the same as the 
Standard’s Double Extended format. The Standard allows a choice of Bias in representing the exponent; 
the 80287 uses the Bias 16383 decimal. 


For the Double Extended format, the Standard contains an option for the meaning of the minimum 
exponent combined with a nonzero significand. The Bias for this special case can be either 16383, as 
in all the other cases, or 16382, making the smallest exponent equivalent to the second-smallest exponent. 
The 80287 uses the Bias 16382 for this case. This allows the 80287 to distinguish between Denormal 
numbers (integer part is zero, fraction is nonzero, Biased exponent is 0) and Unnormal! numbers of the 
same value (same as the denormal except the Biased Exponent is 1). 


The Standard allows flexibility in specifying which NaNs are trapping and which are nontrapping. The 
EH287.LIB module of the 80287 Support Library provides a software implementation of nontrapping 
NaNs, and defines one distinction between trapping and nontrapping NaNs: If the most significant bit 
of the fractional part of a NaN is 1, the NaN is nontrapping. If it is 0, the NaN is trapping. 


When a masked Invalid Operation error involves two NaN inputs, the Standard allows flexibility in 
choosing which NaN is output. The 80287 selects the NaN whose absolute value is greatest. 


AREAS OF THE STANDARD IMPLEMENTED IN SOFTWARE 


There are five areas of the Standard that are not implemented directly in the 80287 hardware; these 
areas are instead implemented in software as part of the 80287 Support Library. 


1. The Standard requires that a Normalizing Mode be provided, in which any nonnormal operands 
to functions are automatically normalized before the function is performed. The NPX provides a 
“‘Denormal operand” exception for this case, allowing the exception handler the opportunity to 
perform the normalization specified by the Standard. The Denormal operand exception handler 
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provided by EH287.LIB implements the Standard’s Normalizing Mode completely for Single- and 
Double-precision arguments. Normalizing mode for Double Extended operands is implemented in 
EH287.LIB with one non-Standard feature, discussed in the next section. 


The Standard specifies that in comparing two operands whose relationship is “unordered,” the 
equality test yield an answer of FALSE, with no errors or exceptions. The 80287 FCOM and 


_ FTST instructions themselves issue an Invalid Operation exception in this case. The error handler 


FH287.LIB filters out this Invalid Operation error using the following convention: Whenever an 
FCOM or FTST instruction is followed by a MOV AX,AX instruction (8BCO Hex), and neither 
argument is a trapping NaN, the error handler will assume that a Standard equality comparison 
was intended, and return the correct answer with the Invalid Operation exception flag erased. 
Note that the Invalid Operation exception must be unmasked for this action to occur. 


. The Standard requires that two kinds of NaN’s be provided: trapping and nontrapping. Nontrap- 
-. ping NaNs will not cause further Invalid Operation errors when they occur as operands to calcu- 


lations. The NPX hardware directly supports only trapping NaN’s; the EH287.LIB software 
implements nontrapping NaNs by returning the correct answer with the Invalid Operation excep- 
tion flag erased. Note that the Invalid Operation exception must be unmasked tor this action to 
occur. 7 | 


The Standard requires that all functions that convert real numbers to integer formats automati- 
cally normalize the inputs if necessary. The integer conversion functions contained in CEL287.LIB 
fully meet the Standard in this respect; the 80287 FIST instruction alone does not perona this 
normalization. 


The Standard specifies the remainder function ee is provided by mgetRMD i in . CEL287, LIB. 
The 80287 FPREM instruction returns answers within a different range. 


ADDITIONAL SOFTWARE TO MEET THE STANDARD 


There are two cases in which additional software is required in conjunction with the 80287 Support 
Library in order to meet the standard. The 80287 Support Library does not provide this software in 
the interest of saving. space and because the vast majority of a DOMCAUONS will never encounter these 
cases. : . = 


l. 


When the Invalid Operation exception is masked, Nontrapping NaNs are not implemented fully. 
Likewise, the Standard’s equality test for “unordered” operands is not implemented when the 
Invalid Operation exception is masked. Programmers can simulate the Standard notion of a masked 
Invalid Operation exception by unmasking the 80287 Invalid Operation exception, and providing 
an Invalid Operation exception handler that supports nontrapping NaNs and the equality test, but 


_, otherwise acts just as if the Invalid Operation exception were masked. The 80287 Support Library 


Reference Manual contains examples for programming this handler in both. ASM286 and 
PL/M-286. / 


In Normalizing Mode, Denormal operands in the TEMP_REAL format are converted to 0 by 
EH287.LIB, giving sharp Underflow to 0. The Standard specifies that the operation be performed 
on the real numbers represented by the denormals, giving gradual underflow. To correctly perform 
such arithmetic while in Normalizing Mode, programmers would have to normalize the operands 
into a format identical to TEMP_REAL except for two extra exponent bits, then perform the 
operation on those numbers. Thus, software must be written to handle the 17-bit exponent explicitly. 


In designing the EH287.LIB, it was felt that it would be a disadvantage to most users to increase the 
size of the Normalizing routine by the amount necessary to provide this expanded arithmetic. Because 
the TEMP_REAL exponent field is so much larger than the LONG_REAL exponent field, it is 
extremely unlikely that TEMP_REAL underflow will be encountered in most applications. 
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If meeting the Standard is a more important criterion for your application than the choice between 
Normalizing and warning modes, then you can select warning mode (Denormal operand exceptions 
masked), which fully meets the Standard. 


If you do wish to implement the Normalization of denormal operands in TEMP_REAL format using 
extra exponent bits, the list below indicates some useful pointers about handling Denormal operand 
exceptions: 


l. 


TEMP_REAL numbers are considered Denormal by the NPX whenever the Biased Exponent is 
0 (minimum exponent). This is true even if the explicit integer bit of the significand is 1. Such 
numbers can occur as the result of Underflow. 


The 80287 FLD instruction can cause a Denormal Operand error if a number is being loaded 
from memory. It will not cause this exception if the number is being loaded from elsewhere in the 
80287 stack. 


The 80287 FCOM and FTST instructions will cause a Denormal Operand exception for unnormal 
operands as well as for denormal operands. 


In cases where both the Denormal Operand and Invalid Operation exceptions occur, you will want 
to know which is signalled first. When a comparison instruction operates between a nonexistent 
stack element and a denormal number in 80286 memory, the D and I exceptions are issued simul- 
taneously In all other situations, a Denormal Operand exception takes precedence over a nonstack 
Invalid operation exception, while a stack Invalid Operation exception takes precedence over a 
Denormal Operand exception. 
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80287 
80-Bit HMOS 
NUMERIC PROCESSOR EXTENSION 
80287-3 


= High Performance 80- Bit Internal : = Protected Mode Operation Completely 
Architecture Conforms to the iAPX 286 Memory 

= Implements Proposed IEEE Floating se tara and Protection 
Point Standard 754 echantom>: 

= Expands iAPX 286/10 Datatypes to @ Directly Extends iAPX 286/10 Instruction 
Include 32-, 64-, 80-Bit Floating Point, Set to Trigonometric, Logarithmic, 
52-, 64-Bit Integers and 18-Digit BCD | Exponential and Arithmetic Instructions 
Operands for All Datatypes 

= Object Code Compatible with 8087 Z 8x80-Bit, Individually Addressable, 

= Built-in Exception Handling NAMEN MEegistel Stack 

= Operates in Both Real and Protected g Available in EXPRESS—Standard 
Mode iAPX 286 Systems Temperature Range 


The Intel® 80287 is a high performance numerics processor extension that-extends the iAPX 286/10 . 
architecture with floating point, extended integer and BCD data types. The iAPX 286/20 computing system - 
(80286 with 80287) fully conforms to the proposed IEEE Floating Point Standard. Using a numerics | 
oriented architecture, the 80287 adds over fifty mnemonics to the iAPX 286/20 instruction set, making the 
iAPX 286/20 a complete solution for high performance numeric processing. The 80287 is implemented in — 
N-channel, depletion load, silicon gate technology (HMOS) and packaged in a 40-pin ceramic package. 
The iAPX 286/20 is object code compatible with the iAPX 86/20 and iAPX 88/20. 


S114 40 (J READY 
‘soQj2 3910 cKm 
BUS INTERFACE UNIT NUMERIC EXECUTION UNIT | COD/INTAL] 3 38) HLDA 
371) CLK286 
EXPONENT FRACTION D15(]5 36 (|) PEACK 
a nus i p14(16 350 RESET 


EXPONENI is sl moana 
INTERFACE f Voc 19 321] CLK 
Vss (]10 80287 31/0 cm01 
meee D10 (112 29 1] cmpo 
4 : n.c. (113 28 |) NPWA 
ERA . De (114 27([ NPRD 
: D8 (15 26 ERROR 
: : 16 REGISTERS Soe 
satis nec D7 (] 16 2510 BUSY 
dt eerie [1 ae 28} PEREG 
ey ea, on D5 [J 18 23} J Do 
cae D4(1419 221 v1 


ane | camemeeerar | 
| aR ) NOTE: 


N.C. PINS MUST NOT BE CONNECTED. 


Figure 1. 80287 Block Diagram Figure 2. 80287 Pin Configuration 


Intel Corporation Assumes No Responsibility for the Use of Any Circuitry Other Than Circuitry Embodied in an Inte! Product. No Other Circuit 
Patent Licenses are Implied. OCTOBER 1983 
© INTEL CORPORATION, 1983. ORDER NUMBER: 210920-002 
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Table 1. 80287 Pin Description 


Clock input: this clock provides the basic timing for internal 80287 opera- 
tions. Special MOS level inputs are required. The 82284 or 8284A CLK 
outputs are compatible to this input. 


Clock Mode signal: indicates whether CLK input is to be divided by 3 or 
used directly. A HIGH input will cause CLK to be used directly. This input 
may be connected to Vcc or Vsg as appropriate. This input must be either 
HIGH or LOW 20 CLK cycles before RESET goes LOW. | 


System Reset: causes the 80287 to immediately terminate its present ac- 
tivity and enter a dormant state. RESET is required to be HIGH for more than 
480287 CLK cycles. For proper initialization the HIGH-LOW transition must 
occur no sooner than 50 us after Vcc ane CLK meet their D.C. and A.C. 
specifications. | 


Data: 16-bit bidirectional data bus. Inputs to these ps may be applied 
asynchronous to the 80287 clock. 


Busy status: asserted by the 80287 to indicate that it is cu rrently executing 
a command. 


Error status: reflects the ES bit of the status word. ‘Pols signal indicates | 
that an unmasked error condition exists. 


' Processor Extension Data Channel operand frangter request: a HIGH on 
this output indicates that the 80287 is ready to transfer data. PEREQ will be 
disabled upon assertion of PEACK or upon actual data transfer, whichever 
occurs first, if no more transfers are required. 


Processor Extension Data Channel operand transfer ACKnowledge: ack- 
nowledges that the request signal (PEREQ) has been recognized. Will 
cause the request (PEREQ) to be withdrawn in case there are no more 
transfers required. PEACK may be asynchronous to the 80287 clock. 


Numeric Processor Read: Enables transfer of data from the 80287. This 
input may be asynchronous to the 80287 clock. 


Numeric Processor Write: Enables transfer of data to the 80287. This input 
may be asynchronous to the 80287 clock. : 


Numeric Processor Selects: indicate the CPU is performing an ESCAPE instruc- 
tion. Concurrent assertion of these signals (i.e., NPS1T is LOW and NPS2 is 
HIGH) enables the 80287 to perform floating point instructions. No data trans- 
fers involving the 80287 will occur unless the device is selected via these 
lines. These inputs may be asynchronous to the 80287 clock. 


CMD1, CMDO Command lines: These, along with select inputs: allow the CPU to direct the 
operation of the 80287. 
These inputs mney be asynchronous to the 80287 clock. 
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Table 1. 80287 Pin Description (cont.) 


$1, SO 
COD/INTA 


+5V supply 


FUNCTIONAL DESCRIPTION 


The 80287 Numeric Processor Extension (NPX) 
provides arithmetic instructions for a variety of 
numeric data types in iAPX 286/20 systems. It also 
executes numerous built-in transcendental func- 
tions (e.g., tangent and log functions). The 80287 
executes instructions in parallel with a 80286. It 


78 


CPU Clock: This input provides a sampling edge for the 80287 inputs S71, SO, 
COD/INTA, READY, and HLDA. It must be connected to the 80286 CLK input. 


Status: These inputs must be connected to the corresponding 80286 pins. 


HLDA | Hold Acknowledge: This input informs the 80287 when the 80286 controls 
the local bus..It must be connected to the 80286 HLDA output. 


Ready: The end of a bus cycle is signaled by this input. It must be connected 
to the 80286 READY input. 


System ground, both pins must be connected to ground. 


effectively extends the register and instruction set 
of an iAPX 286/10 system for existing iAPX 286 
datatypes and adds several new data types as well. 
Figure 3 presents the program visible register 
model of the iAPX 286/20. Essentially, the 80287 
can be treated as an additional resource or an 
extension to the iAPX 286/10 that can be used asa 
single unified system, the iAPX 286/20. 


80287 


STACK: | TAG FIELO 


64 63 1 0 


0 
EXPONENT SIGNIFICAND . 


CONTROL REGISTER 


STATUS REGISTER 


TAG WORD 


INSTRUCTION POINTER 
DATA POINTER ; 


Figure 3. iAPX 286/20 Architecture 
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The 80287 has two operating modes similar to the 
two modes of the 80286. When reset, 80287 is in 
the real address mode. It can be placed in the 
protected virtual address mode by executing the 
SETPM ESC instruction. The 80287 cannot be 
switched back to the real address mode except by 
reset. In the real address mode, the iAPX 286/20 is 
completely software compatible with iAPX 86/20, 
88/20. 


Once in protected mode, all references to memory 


for numerics data or status information, obey the © 


iAPX 286 memory management and protection 
rules giving a fully protected extension of the 


80286 CPU. In the protected mode, iAPX 286/20 © 
numerics software is also completely compatible | 


with iAPX 86/20 and iAPX 88/20. 


SYSTEM CONFIGURATION 


As a processor extension to an 80286, the 80287 
can be connected to the CPU as shown in Figure 4. 
The data channel control signals (PEREQ, 
PEACK), the BUSY signal and the NPRD, NPWR 
signals, allow the NPX to receive instructions and 
data from the CPU. When in the protected mode, all 
information received by the NPX is validated by the 
80286 memory management and protection unit. 
Once started, the: 80287 can process in parallel 
with and independent of the host CPU. When the 
NPX detects an error or exception, it will indicate 
this to the CPU by asserting the ERROR signal. 


The NPX uses the processor extension request and 
acknowledge pins of the 80286 CPU to implement 
data transfers with memory under the protection 
model of the CPU. The full virtual and physical 
address space of the 80286 is available. Data for 
the 80287 in memory is addressed and represented 
in the same manner as for an 8087. 


The 80287 can operate either directly from the CPU 
clock or with a dedicated clock. For operation with 
the CPU clock (CKM=0), the 80287 works at one- 
third the frequency of the system clock (i.e., for an 
8 MHz 80286, the 16 MHz system clock is divided 
cown to 5.3 MHz). The 80287 provides a capability 
to internally divide the CPU clock by three to pro- 
duce the required internal clock (33% duty cycle). 
To use a higher performance 80287 (8° MHz), an 
8284A clock driver and appropriate crystal may be 
used to directly drive the 80287 with a 1/3 duty 
cycle clock on the CLK input (CKM=1). 
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HARDWARE INTERFACE 


Communication of instructions and data operands 
between the 80286 and 80287 is handled by the 
CMDO, CMD1, NPS1, NPS2, NPRD, and NPWR sig- 
nals. I/O port addresses 00F8H, OOFAH, and OOFCH 
are used by the 80286 for this communication. When 


any of these addresses are used, the NPS7 input 


must be LOW and NPS2 input HIGH. The IORC and 
JOWC outputs of the 82288 identify I/O space trans- 
fers (see Figure 4). CMDO should be connected to. 


latched 80286 A1 and CMD1 should be connected to 
latched 80286 A2. The S1, S0, COD/INTA,READY, 


HLDA, and CLK pins of the 80286 are connected to 
the same named pins on the 80287. | 


‘/O ports OOF8H to OOFFH are reserved for the 


80286/80287 interface. To guarantee correct oper- 
ation of the 80287, programs must not perform any 
I/O operations to these ports. 


The PEREQ, PEACK, BUSY, and ERROR signals of 
the 80287 are connected to the same-named 80286 
input. The data pins of the 80287 should be directly 
connected to the 80286 data bus. Note that all bus 
drivers connected to the 80286 local bus must be 
inhibited when the 80286 reads from the 80287. 
The use of COD/INTA and M/IO in the decoder 
prevents INTA bus cycles from disabling the data 
transceivers. 


PROGRAMMING INTERFACE 


_ Table 2 lists the seven data types the 80287 sup- 


ports and presents the format for each type. These 
values are stored in memory with the least signifi- 
cant digits at the lowest memory address. Pro- 
grams retrieve these values by generating the 
lowest address. All values should start at even 
addresses for maximum system performance. 


Internally the 80287 holds all numbers in the tem- 
porary real format. Load instructions automati-: 
cally convert operands represented in memory as 
16-, 32-, or 64-bit integers, 32- or 64-bit floating 
point number or 18-digit packed BCD numbers: 
into temporary real format. Store instructions per- 
form the reverse type conversion. | 


80287 computations use the processor’s register 


~ stack. These eight 80-bit registers provide the 
equivalent capacity of 40 16-bit registers. The 


80287 register set can be accessed as a stack, with 
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82284 


ADDRESS 


Ries i ” 
ae + 
ERROR PEREQ 
BUSY PEACK 


ss HLDA A2 a AO E1 
i a 


COD/INTA HLDA 
RESET PEACK 


READY PEREQ 


Figure 4. iAPX 286/20 System Configuration 
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Table 2. 80287 Datatype Representation in Memory 


D Most Significant Byte HIGHEST ADDRESSED BYTE 
ata Range 
‘ma ole ale ole ol oly ol ole slr ofr 
Word Integer 16 Bits COMPLEMENT) 
Short integer 10° u | | COMPLEMENT) | | 
31 0 | a 
7 | | (TWO'S 
63 . 


7 | MAGNITUDE 
Packed BCD 10 18 Digits dia Gin Bie dual Gian de cd edi de. Ga. ady 


| | . | BIASED 


; . BIASED 


NOTES: 


(1) S = Sign bit (0 = positive, 1 = negative) 

(2) d, = Decimal digit (two per byte) 

(3) X = Bits have no significance; 8087 ignores when load- 
ing, zeros when storing. 

(4) 4s =Position of implicit binary point 

(5) |=Integer bit of significand; stored in temporary real, 
implicit in short and long real 


instructions operating on the top one or two stack 
elements, or as a fixed register set, with instruc- 
tions operating on explicitly designated registers. 


Table 6 lists the 80287’s instructions by class. No 
special programming tools are necessary to use 
the 80287 since all new instructions and data types 
are directly supported by the iAPX 286 assembler 
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(6) Exponent Bias (normalized values): 
Short Real: 127 (7FH) 
Long Real: 1023 (8FFH) 
Temporary Real: 16383 (S3FFFH) 
(7) Packed BCD: (-1)°(D,7. . .Dp) 


(8) Real: (—1)9(2° PS) (F, Fy...) 


and appropriate high level languages. All iAPX 
86/88 development tools which support the 8087 
can also be used to develop software for the iAPX 
286/20 in real address mode. 


Table 3 gives the execution times of some typical 
numeric instructions. 
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Table 3. Execution Time for Selected 80287 Instructions 


Floating Point Instruction 


Add/Subtract 


Multiply (single precision) 


Multiply (extended precision) 


Exponentiation — 


SOFTWARE INTERFACE 


The iAPX 286/20 is programmed as a single pro- 
cessor. All communication between the 80286 and 
the 80287 is transparent to software. The CPU au- 
tomatically controls the 80287 whenever a numeric 
instruction is executed. All memory addressing 
modes, physical memory, and virtual memory of 
the CPU are available for use by the NPX. 


Since the NPX operates in parallel with the CPU, 
any errors detected by the NPX may be reported 
after the CPU has executed the ESCAPE instruc- 
tion which caused it. To allow identification of the 
failing numeric instruction, the NPX contains two 
pointer registers which identify the address of the 
failing numeric instruction and the numeric 
memory operand if appropriate for the instruction 
encountering this error. 


INTERRUPT DESCRIPTION 


Several interrupts of the iAPX 286 are used to 
report exceptional conditions while executing 
numeric programs in either real or protected 
mode. The interrupts and their functions are 
shown in Table 4. 


Approximate Execution 
Time (us) 
80287 
(5 MHz Operation) 


14/18 
19 
27 


PROCESSOR ARCHITECTURE : 


As shown in Figure 1, the NPX is internally divided 
into two processing elements, the bus interface 
unit (BIU) and the numeric execution unit (NEU). 
The NEU executes all numeric instructions, while 
the BIU receives and decodes instructions, re- 
quests operand transfers to and from memory and 
executes processor control instructions. The two 
units are able to operate independently of one 
another allowing the BIU to maintain asynchro- 
nous communication with the CPU while the NEU 
is busy processing a numeric instruction. | 


BUS INTERFACE UNIT | 7 

The BIU decodes the ESC instruction executed by the 
CPU. If the ESC code defines a math instruction, the 
BIU transmits the formatted instruction to the NEU. If 
the ESC code defines an administrative instruction, 
the BIU executes it independently of the NEU. The 
parallel operation of the NPX with the CPU is normally 
transparant to the user. The BIU generates the 

and ERROR signals for 80826/80287 processor syn- 
chronization and error notification, respectively. 


The 80287 executes a single numeric instruction at 
a time. When executing most ESC instructions, the . 
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Table 4. 80286 Interrupt Vectors Reserved for NPX 


Interrupt Number Interrupt Function 


An ESC instruction was encountered when EM or TS of the 80286 MSW was set. 
EM=1 indicates that software emulation of the instruction is required. When TS is 
set, either an ESC or WAIT instruction will cause interrupt 7. This indicates that the 
current NPX context may not belong to the current task. 


The second or subsequent words of a numeric operand in memory exceeded a 
segment’s limit. This interrupt occurs after executing an ESC instruction. The saved 
return address will not point at the numeric instruction causing this interrupt. After 
| processing the addressing error, the iAPX 286 program can be restarted at the 
return address with IRET. The address of the failing numeric instruction and 
. numeric operand are saved in the 80287. An interrupt handler for this interrupt must 
execute FNINIT before any other ESC or WAIT instruction. 
| 


The starting address of a numeric operand is not in the segment’s limit. The return 
address will point at the ESC instruction,including prefixes, causing this error. The 
80287 has not executed this-instruction. The instruction and data address in 80287 
refer to a previous, correctly executed, instruction. 


The previous numeric instruction caused an unmasked numeric error. The address 
of the faulty numeric instruction or numeric data operand is stored in the 80287. 
Only ESC or WAIT instructions can cause this interrupt. The 80286 return address 
will point at a WAIT or ESC instruction, including prefixes, which may be restarted 
after clearing the error condition in the NPX. 


cycle. Control signals for the 80287 are generated 
by the 80826 as shown in Figure 4, and meet the 


80286 tests the BUSY pin and waits until the 80287 . 
indicates that it is not busy before initiating the com- 


mand. Once initiated, the 80286 continues program 
execution while the 80287 executes the ESC instruc- 
tion. In iAPX 86/20 systems, this synchronization is 
achieved by placing a WAIT instruction before an ESC 
instruction. For most ESC instructions, the iAPX 286/20 
does not require a WAIT instruction before the ESC 
opcode. However, the iAPX 286/20 will operate cor- 
rectly with these WAIT instructions. In all cases, a WAIT 
or ESC instruction should be inserted after any 80287 
store to memory (except FSTSW and FSTCW) or load 
from memory (except FLDENV or FRSTOR) before the 
80286 reads or changes the value to be sure the 
numeric value has aeagys been written.or read by 
the NPX. | 


Data transfers between memory and the 80287, 
when needed, are controlled by the PEREQ 
PEACK, NPRD, NPWR, NPS7, NPS2 signals. The 
80286 does the actual data transfer with memory 
through its processor extension data channel. 
Numeric data transfers with memory performed by 
_the 80286 use the same timing as any other bus 
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timing requirements shown in the AC require- 
ments section. 


NUMERIC EXECUTION UNIT 


The NEU executes all instructions that involve the 
register stack; these include arithmetic, logical, tran- 
scendental, constant and data transfer instructions. 
The data path in the NEU is 84 bits wide (68 signifi- 
cand bits, 15 exponent bits and a sign bit) which 
allows internal operand transfers to be performed at 
very high speeds. 


When the NEU begins executing an instruction, it 
activates the BIU BUSY signal. This signal is used 
in conjunction with the CPU WAIT instruction or 
automatically with most of the ESC instructions to 
synchronize both processors. 


REGISTER SET 


The 80287 register set is shown in Figure 5. Each of 
the eight data registers in the 80287’s register stack 
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DATA FIELD 
64 63 
EXPONENT 


79 
| SIGN | 
ae) 
as 
; 
ocdeesl 
ea 
eee 
aaa 


15 


CONTROL REGISTER 
STATUS REGISTER 
; TAG WORD 


- TAG FIELD 
‘0 1 0 


0 


~- INSTRUCTION POINTER 


DATA POINTER 


Figure 5. 80287 Register Set 


is 80 bits wide and is divided into “fields” corre- 
sponding to the NPX’s temporary real data type. 


At a given point in time the ST field in the status 
word identifies the current top-of-stack register. A 
‘‘push”’ operation decrements ST by 1 and loads a 
value into the new top register. A ‘‘pop’”’ operation 
stores the value from the current top register and 
then increments ST by 1. Like 80286 stacks in 
memory, the 80287 register stack grows ‘‘down”’ 
toward lower-addressed registers. 


Instructions may address the data registers either 
implicitly or explicitly. Many instructions operate on 
the register at the Stack Top. These instructions 
implicitly address the register pointed by the ST. 
Other instructions allow the programmer to explic- 
itly specify the register which is to be used. This 
explicit register addressing is also ‘“‘top-relative.”’ 


Bits 14-120fthestatus word pointsto the 80287 regis- 
ter that is the current top-of-stack (ST) as described 
above. Figure 6 shows the six error flags in bits 
5-0 of the status word. Bits 5-0 are set to indicate 
that the NEU has detected an exception while 
executing an instruction. The section on exception 
handling explains how they are set and used. 


The instructions FSTSW, FSTSW AX, FSTENV, and 
FSAVE which store the status word are executed 
exclusively by the BIU and do not set the busy bit 
themselves or require the Busy bit be cleared in 
order to be executed. hy 


The four numeric condition code bits (Cp-C3) are 
similar to the flags in a CPU: instructions that perform 
arithmetic operations update these bits to reflect the 
outcome of NPX operations. The effect of these 
instructions on the condition code bits is summarized 
in Tables 5a and 5b. et gi gil 


Bits 14-12 of the status word pointto the 80287 regis- 
ter that is the current top-of-stack (ST) as described 
above. Figure 6 shows the six error flags in bits 5-0 
of the status word. Bits 5-0 are set to indicate that 
the NEU has detected an exception while executing 
an instruction. The section on exception handling | 
explains how they are set and used. 


Bit 7 is the error summary status bit. This bit is set if 


any unmasked exception bit is set and cleared other- 
wise. If this bit is set, the ERROR signal is asserted. 
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EXCEPTION FLAGS (1 = EXCEPTION HAS OCCURRED) 


INVALID OPERATION* 
DENORMALIZED OPERAND* 
ZERO DIVIDE* 
OVERFLOW* 
~ UNDERFLOW* 
PRECISION* 
(RESERVED) 
ERROR SUMMARY STATUS(1) 
CONDITION CODE(2) 
STACK TOP POINTER(3) 
NEU BUSY 


(1) ES IS SET IF ANY UNMASKED EXCEPTION BIT IS SET, CLEARED OTHERWISE. 


(2) SEE TABLE 1-4 FOR CONDITION CODE INTERPRETATION. 


(3) ST VALUES 
000 = REGISTER 0 IS TOP OF STACK 
001 = REGISTER 1 IS TOP OF STACK 


111 = REGISTER 7 IS TOP OF STACK 


“FOR DEFINITIONS, SEE THE SECTION ON EXCEPTION HANDLING 


Figure 6. 80287 Status Word 


TAG WORD 


The tag word marks the content of each register as 
shown in Figure 7. The principal function of the tag 


word is to optimize the NPX’s performance. The eight 


two-bit tags in the tag word can be used, however, to 
interpret the contents of 80287 registers. 


INSTRUCTION AND DATA POINTERS 

The instruction and data pointers (See Figures 8a 
and 8b) are provided for user-written error hand- 
lers. Whenever the 80287 executes a new instruc- 
tion, the BIU saves the instruction address, the 
operand address (if present). and the instruction 
opcode. 80287 instructions can store this data into 
memory. : 


The instruction and data pointers appear in one of 
two formats depending on the operating mode of 
the 80287. In real mode, these values are the 20-bit 
physical address and 11-bit opcode formatted like 
the 8087. In protected mode, these values are the 
32-bit virtual addresses used by the program 


which executed an ESC instruction. The same 
FLDENV/FSTENV/FSAVE/FRSTOR instructions as 
those of the 8087 are used to transfer these values 
between the 80287 registers and memory. 


The saved instruction address in the 80287 will 
point at any prefixes which preceded the instruc- 
tion. This is different than in the 8087 which only 
pointed at the ESCAPE instruction opcode. 


CONTROL WORD 


The NPX provides several processing aoiiors 
which are selected by loading a word from memory 
into the control word. Figure 9 shows the format 
and encoding of fields in the control word. 


The low order byte of this control word configures 


the 80287 error and exception masking. Bits 5-0 of 
the contro! word contain individual masks for each. 
of the six exceptions that the 80287 recognizes. 
The high order byte of the control word configures 
the 80287 operating mode including precision, 
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Table 5a. Condition Code Interpretation 


Compare, Test 


Examine 


— st stots st it nt OOO OOOO O Cc 


=a=s3==3 5342900002424 440000 


= 


NOTES: 

1. ST = Top of stack 

2. X = value is not affected by instruction 

3. U = value is undefined following instruction 


4. Qn = Quotient bit n 


Table 5b. Condition Code Interpretation after 
FPREM Instruction As a Function of 
Dividend Value 


Dividend Range 


Dividend < 2: * Modulus 
Dividend < 4 * Modulus 
Dividend = 4 * Modulus 


NOTE: 
1. Previous value of indicated bit, not affected by FPREM 
instruction execution. 
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Instruction . ; 
C3 Co C; Co Interpretation 


=——-= Oo-j-=" 00" |! Od =| =| O O Cc 


ST > Source or 0 (FTST) 
ST < Source or 0 (FTST) 
ST = Source or 0 (FTST) 
ST is not comparable 


Complete reduction with 
three low bits of quotient 
(See Table 5b) 


Invalid, positive, exponent = 0 
Empty 

Invalid, negative, exponent = 0 
Empty 


U Incomplete Reduction 
0 Valid, positive unnormalized 
1 Invalid, positive, exponent =O 
0 Valid, negative, unnormalized 
1 Invalid, negative, exponent =0 
0 Valid, positive, normalized 
1 Infinity, positive 
0 Valid, negative, normalized 
1 Infinity, negative 
0 Zero, positive 
1 Empty 
- 0 Zero, negative 
1 Empty 
0 
1 
0 
1 


rounding, and infinity control. The precision con- 
trol bits (bits 9-8) can be used to set the 80287 
internal operating precision at less than the 
default of temporary real (80-bit) precision. This 
can be useful in providing compatibility with the 
early generation arithmetic processors of smaller 
precision than the 80287. The rounding control 
bits (bits 11-10) provide for directed rounding and 
true chop as well as the unbiased round to nearest 
even mode specified in the IEEE standard. Control 
over closure of the number space at infinity is also 
provided (either affine closure: + , or projective 
closure: », is treated as unsigned, may be 
specified). . 
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7 TAG VALUES: 

NOTE: The index i of tag(i) is not top-relative. A program . = sen 
typically uses the “top” field of Status Word to deter- 10 = INVALID or INFINITY 
mine which tag(i) field refers to logical top of stack. 


11 = EMPTY 


Figure 7. 80287 Tag Word 


MEMORY OFFSET 


15 | 0 
CONTROL WORD 
_ STATUS WORD. 
TAG WORD 


[ern snacon 


Figure 8a. Protected Mode 80287 Instruction and Data Pointer Image in Memory 


INDEFINITE, or to propogate already existing NANs 
as the calculation result. 


EXCEPTION HANDLING 


The 80287 detects six different exception conditions 
that can occur during instruction execution. Any or 
all exceptions will cause the assertion of external 

signal and ES bit of the Status Word if the 
appropriate exception masks are not set. , 


Overflow: The result is too large in magnitude to 
fit the specified format. The 80287 will generate an 
encoding for infinity if this ¢xception is masked. 


The exceptions that the 80287 detects andthe ‘default  2ero Divisor: The divisor is zero while the divi- 


procedures that will be carried out if the exception is 
masked, are as follows: - 


Invalid Operation: Stack overflow, stack underflow, 
indeterminate form (0/0, co, —oo, etc) or the use of a 
Non-Number (NAN) as an operand. An exponent value 
of all ones and non-zero significand is reserved to 


identify NANs. If this exception is masked, the 80287 


default response is to generate a specific NAN called 


dend is a non-infinite, non-zero number. Again, the 
80287 will generate an encoding for infinity if this 
exception is masked. 

‘ 


Underflow:. The result is non-zero but too small in 
magnitude to fit in the specified format. If. this 
exception is masked the 82087 will denormalize 
(shift right) the fraction until the exponent is in 
range. The process is called gradual underflow. 
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MEMORY 
OFFSET 


15 | 

; 
. 
. 


INSTRUCTION INSTRUCTION 8 
POINTER (19-16) OPCODE (10-0) . is 


0 
) 


DATA POINTER (15-0) 


DATA POINTER 
(19-16) 


0 


Figure 8b. Real Mode 80287 Instruction and Data Pointer Image in Memory 


15 | 0 
xxx [ict rac] pc | x] x femumjom|zmiom|im 


EXCEPTION MASKS (1=EXCEPTION IS MASKED) 

INVALID OPERATION 
- _DENORMALIZED OPERAND 
ZERO DIVIDE 
OVERFLOW 
UNDERFLOW 
PRECISION 
—__________ (RESERVED) 
(RESERVED) 
PRECISION CONTROL "") 


ROUNDING CONTROL?) 
INFINITY CONTROL (0 = PROJECTIVE, 1 = AFFINE) 


(RESERVED) 
(PRECISION CONTROL )ROUNDING CONTROL 

00 = 24 BITS (SHORT REAL) 00 = ROUND TO NEAREST OR EVEN 

01 = RESERVED 01 = ROUND DOWN (TOWARD -~) 

10 = 53 BITS (LONG REAL) 10 = ROUND UP (TOWARD +=) 

11 = 64 BITS (TEMP REAL) 11 = CHOP (TRUNCATE TOWARD ZERO) 


Figure 9. 80287 Control Word 
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Denormalized Operand: At least one of the 
Operands is denormalized; it has the smallest ex- 
ponent but a non-zero significand. Normal pro- 
cessing continues if this exception is masked off. 


Inexact Result: The true result is not exactly repre- 
sentable in the specified format, the result is rounded 
according to the rounding mode, and this flag is set. 


If this exception is masked, processing will simply | 


continue. 


If the error is not masked, the corresponding error 
bit and the error status bit (ES) in the control word 
will be set, and the ERROR output signal will be 
asserted. If the CPU attempts to execute another 
ESC or WAIT instruction, exception 7 will occur. 


The error condition must be resolved via an inter- 


rupt service routine. The 80287 saves the address 
of the floating point instruction causing the error 
as well as the address of the lowest memory loca- 
tion of any memory Beste edie by that 
instruction. 


iAPX 86/20 COMPATIBILITY: 


iAPX 286/20 supports portability of iAPX 86/20 
programs when it is in the real address mode. 
However, because of differences in the numeric 
error handing techniques, error handling routines 
may need to be changed. The differences between 
an iAPX 286/20 and iAPX 86/20 are: 


1. The NPX error signal does not pass through an 
interrupt controller (8087 INT signal does). 


80287 
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Therefore, any interrupt controller oriented in- 
structions for the iAPX 86/20 may have to be 
deleted. 


2. Interrupt vector 16 must point at the numeric: 


error handler routine. 


3. The saved floating point instruction address in 
the 80287 includes any leading prefixes before 
the ESCAPE opcode. The corresponding saved 
address of the 8087 does not include leading 
prefixes. | 


~ 4, In protected mode, the format of the saved in- 


struction and operand pointers is different than 
for the 8087. The instruction opcode is not 
saved—it must be read from memory if needed. 


5.. Interrupt 7 will occur when executing ESC in- 
structions with either TS or EM of MSW=1. If TS 
of MSW=1 then WAIT will also cause interrupt 
7. An interrupt handler should be added to han- 
die this situation. | 


6. Interrupt 9 will occur if the second or subse- 


quent words of a floating point operand fall 
outside a segment’s size. Interrupt 13 will occur 
if the starting address of a numeric operand 
falls outside a segment’s size. An interrupt 
handler should be added to report these pro- 
gramming errors. 


In the protected mode, iAPX 86/20 application 
code can be directly ported via recompilation if the | 
286 memory protection rules are not violated. 
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ABSOLUTE MAXIMUM RATINGS* 


Ambient ee Under Bias 


..0°C to 70°C 
Storage Temperature iid ae —65°C to +150°C 
Voltage on Any Pin with | 
Respect to Ground ................ —1.0 to +7V 
Power Dissipation ati Sued bleed earn eines 3.0 Watt 


Input LOW Voltage _ 


Clock Input HIGH Voltage 
CKM = 1: 
CKM = 0: 


Output LOW Voltage 


Input Leakage Current 
Output Leakage Current — 


Input Capacitance 


Co Input/Output Capacitance 
: (DO-D15) 


D.C. CHARACTERISTICS T, = 0°C to 70°C, Veg = SV, +/-5% 


are a 
Tics | Power Supp Curent | | «75 [ ma] 
rae 


CLK Capacitance | a 


*“NOTICE: Stresses above those listed under Ab- 
solute Maximum Ratings may cause permanent 
damage to the device. This is a stress rating only 
and functional operation of the device at these or 
any other conditions above those indicated in the 
operational sections of this specification is not 
implied. Exposure to absolute maximum rating 
conditions for extended periods may affect device 
reliability. 


5 MHz 
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A.C. CHARACTERISTICS (T, = 0°C to 70°C, Veg + 5V,=/-5%) 
TIMING REQUIREMENTS . | 
A.C. timings are referenced to 0.8V and 2.0V points on signals unless otherwise noted. 


5 MHz - 


CLK Period : 
CKM = 1: | 200 500 


Tote 


@) 
~ 
<= 
I 
ro) 
ro) 
i) 
Bau 
ho 
On 
ro) 


ToLcH avg time 


118 
CKM = 0 15 230 


CLK one 


ToucL Aap 


CKM = 0: 


TcH1CH2 
Totecut 

WW 
TwHpx 


TWiw: | 
TeirH NPWR, NPRD Active Time 

Tava Command Valid to NPWR or 

Taye NPRD Active 


Oo 


co 


TMHRL Minimum Delay from PEREQ 
Active to NPRD Active 130 


TKLKH PEACK Active Time 


TKHKL PEACK Inactive Time 


250 
TkHCH PEACK Inactive to NPWR, NPRD 50 


Inactive 


79 
30 
95... 
85 


TouKL NPWR, NPRD Inactive to PEACK 
Active | 


TWHax: Command Hold from NPWR 
TRHAX NPRD Inactive 


TKLCL PEACK Active Setup to NPWR, 
NPRD Active 50 


Tooter 


-30 
30 


ToctsH 
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A.C. CHARACTERISTICS, continued 
TIMING REQUIREMENTS 


| Symbol | __Parameter 
28. 
READY Hold Time from CLK286 


70 
‘6 
20 


HLDA Setup Time to cLk2e6 | 0 | 


A.C. CHARACTERISTICS, 
TIMING RESPONSES 


| 
ERROR Active to BUSY Inactive 
NPWR Active to BUSY Active 
PEACK Active to PEREQ Inactive 


Tomo Command Inactive Time 
Write-to-Write 
Read-to-Read 
Write-to-Read 
Read-to-Write 


Data Hold from NPRD Inactive 


NOTES: : 
. This is an asynchronous input. This specification is given for testing purposes only, to assure recognition at a specific CLK edge. 
. Float condition occurs when output current is less than ILg on DO-D15. 

. DO-D15 loading: CL = 100pF. 

. BUSY loading: CL = 100pF. 

. BUSY loading: CL = 100pF. 

. On last data transfer of numeric instruction. 

. DO-D15 loading: CL = 100pF. 


NOOO WN — 
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WAVEFORMS (cont) 


DATA TRANSFER TIMING (INITIATED BY 80286) 


CMDO CMD1 - 
NPS1,NPS2 


NPRD 
‘|. DATA 
TRANSFER 
FROM , 


80287 


Caz) 
AANA aie 


TAVWL 
ST WLW | ee TT WHAX 


DATA 
TOVWH ; TWHDX LS sg TRANSFER 
<<—__$_$_> |<<____» TO 


. | 80287 
DATA MAY CHANGE i: zis IX DATA MAY CHANGE =] 


DATA CHANNELTIMING (INITIATED BY 80287) 


CMDO,CMD1 
NPSi,NP 


TRHAX 
TWHAX 


_ TKLCL—— <— 


—p)| TKHCH |~<e— <<—TKHKL—» 
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WAVEFORMS (cont.) 


ERROR OUTPUT TIMING 


ntel’ _—— - 80287 ADVANGE INFORMATION 


WAVEFORMS (Reset, NPWR, NPRD are inputs asynchronous to CLK. Timing requirements onthispage | 
| are given for testing purposes only, to assure recognition ata. specific CLK edge.) 


CLK, RESET TIMING (CKM = 1) 
| Po P, 


CLK 
(IF CKM = 1) 


t 


RESET 


CLK, NPRD, NPWR TIMING (CKM = 1) 


a 


CLK 
(IF CKM = 1) 


CLK, RESET TIMING (CKM = 0) 


bP a ‘PHASE INDETERMINATE ?, 
CLK : - - 
(IF CKM = 0) . 


NOTE: Reset must meet timing shown to guarantee known phase of internal + 3 circuit. 


CLK, NPRD, NPWR TIMING (CKM =.0) — 


CLK 
(IF CKM = 0) 
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Table 6. 80287 Extensions to the 80286 Instruction Set 


Optional Clock Count Range 
8,16 Bit 32 Bit { 32 Bit 16 Bit 
Data Transfer Displacement Real | Integer | Real | Integer 


Integer/Real Memory to ST(0) ESCAPE MF 1| MOD 000 RAM| DISP | 38-56 52-60 40-60 46-54 


Long Integer Memory toST(0) [ESCAPE 11 1 | MOD 101 RM — ODISP | 60-68 


Temporary Real Memory to ESCAPE 0 1 1 MOD 1 0 1 R/M DISP 53-65 
ST(0) Sian aeiaaone 


BCD Memory to ST(0) ESCAPE 1 1 1 | MOD 1 00 RIM DISP 290-310 
ST(i) to ST(0) ESCAPE 001111 00 0 STi) 17-22 


FST = STORE 
ST(0) to Integer/Real Memory ESCAPE MF 1 MOD 0 1 0 R/M 


84-90 82-92 96-104 80-90 


! | 
1 ot 
1 
Io! 
1M | 
0 
4 | 
ashi 


ST(0) to ST(i) ESCAPE 1 0 1 1 1 01 0 ST{(i) 15-22 


FSTP = STORE AND POP 


pia Sei 

ST(0) to Integer/Real Memory ESCAPE MF 1 MOD 0 1 1 R/M DISP 86-92 84-94 98-106 82-92 
a 
] 


ST(0) to Long Integer Memory ESCAPE 1 1 1 MOD 1 1 1 R/M DISP 


94-105 
ST(0) to Temporary Real ESCAPE O 1 1 MOD 1 1 #1 = =R/M DISP 52-58 
Memory ey inte i ho 
ST(0) to BCD Memory ESCAPE 1 1 1 MOD 1 1 0 R/M DISP 520-540 
ST(0) to ST(i) ESCAPE 1 0 1 1 | 1 0O 1 1 = ST{(i) 17-24 
FXCH = Exchange ST(i) and ESCAPE 0O 0O 1 1 1 0 0 1° ST(i) 10-15 
ST(0) 


Comparison 
FCOM = Compare a 
Integer/Real Memory to ST(0) ESCAPE MF 0 | MOD 0 1 0 R/M - DISP  ; 60-70 78-91 65-75 72-86 


ST(i) to ST (0) ESCAPE 0 0 0 1 1 £01 0 ST(i) 40-50 


FCOMP = Compare and Pop 


Integer/Real Memory to ST(0) [ ESCAPE MF 0 | MOD 0 1 1 R/M DISP 63-73 80-93 67-77 74-88 


ST(i) to ST(O) ESCAPE 0 O 0O 11 01 £1 = ST{(i) 45-52 
FCOMPP = Compare ST(1) to ESCAPE 1 1 11013100 1 45-55 
ST(0) and Pop Twice 

FTST = Test ST(0) ESCAPE 0 0 1 1 7. 1200. 1 --O O 38-48 


FXAM = Examine ST(0) ESCAPE 0 0 1 Me DP. ah OD: Soe OP 12-23 


Mnemonics © Intel 1982. 
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Table 6. 80287 Extensions to the 80286 Instruction Set (cont.) 


Optional Clock Count Range 
8,16 Bit 32 Bit | 32 Bit | 64 Bit 16 Bit 
Constants Displacement Real | Integer | Real | Integer 


FLDZ = LOAD + 0.0 into ST(0) ESCAPE 0 O 1 11 10314 1 1 «0 11-17 
FLD1 = LOAD + 1.0 into ST(0) ESCAPE 0 0 1 11 10100 0 15-21 


FLDPI = LOAD z into ST(0) ESCAPE 0011/11 10410141 | 16-22 
FLDL2T = LOAD logo 10 into ESCAPE 001/11 1041001 . 16-22 


ST(0) 

FLDL2E = LOAD logp e into ESCAPE 0 0 1 1110101 0 15-21 
ST(0) 

FLDLG2 = LOAD logj9 2 into 

ST(0) ESCAPE 0 0 1 11103141100 ~~) 18-24 
FLDLN2 = LOAD loge2 into ESCAPE 0 0 1 11140314101 17-23 
ST(0) 

Arithmetic 

FADD = Addition 


Integer/Real Memory with ST(0) | ESCAPE MF 0 MOD 0 0 0 R/M DISP 90-120 108-143 95-125 102-137 


ST(i) and ST(0) ESCAPE d P 0 11 00 0 ST(i) 70-100 (Note 1) 


FSUB = Subtraction 
Integer/Real Memory with ST(0) ESCAPE MF 0 MOD 1 0 R R/M DISP 90-120 108-143 95-125 102-137 


ST(i) and ST(0) ESCAPE dP 0 1 $1 1 0 R R/M | 70-100 (Note 1) 


FMUL = Multiplication 


Integer/Real Memory with ST(0) | ESCAPE MF 0 MOD 0 0 1 R/M DISP 110-125 130-144 112-168 124-138 
ST(i) and ST(0) [ ESCAPE d Po | d. :P-0 1 1 0 0 1 =R/M | 90-145 (Note 1) 


FDIV = Division nt eee eR aee 


Integer/Real Memory with ST(0) | ESCAPE MF 0 MOD 1 1 R R/M DISP 215-225 230-243 220-230 224-238 
ST(i) and ST(0) ESCAPE d P 0 1 1 1 1 =R R/M 193-203 (Note 1) 


FSQRT = Square Root of ST(0) | ESCAPE 0 O 1 11 1 1 710 1 «0 180-186 


FSCALE = Scale ST(0) by ST(1) | ESCAPE 0 O 1 11494937 1 4 0 1 32-38 


FPREM = Partial Remainder of ESCAPE 0 0 1 1 15-190 
ST(0) +ST(1) 


FRNDINT = Round ST(0) to ESCAPE 0 0 1 17 1 1 1 71 0 0 16-50 
Integer 2 


NOTE: 
1. If P=1 then add 5 clocks. 
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Table 6. 80287 Extensions to the 80286 Instruction Set (cont.) 


Optional Clock Count Range 
8,16 Bit 
Displacement 


FXTRACT = Extract ESCAPE 0011/11 110100 | | | 27-55 
Components of St(0) 


FABS = Absolute Value of ESCAPE 0O 0 1 11 10000 1 10-17 


ST(0) 
FCHS = Change Sign of ST(0) ESCAPE 0O 0 1 11 £10000 0 10-17 


Transcendental 
FPTAN = Partial Tangent of ESCAPE 0 0 1 11119001 0 | 30-540 
ST(0) = 

FPATAN = Partial Arctangent ESCAPE 0 0O 1 11141004141 . 250-800 
of ST(0) +ST(1) 

F2XM1 = 2°7'0) 4 ESCAPE 001/11 110000 4] 310-630 
FYL2X = ST(1)* Logo ESCAPE 0011/11 110001 900-1100 
[ST(0)| | 
FYL2XP1 = ST(1)* Loge ESCAPE 001{11 1141001 700-1000 
{ST(0) +1] 


Processor Control 


FINIT = Initialize NPX ESCAPE 0 1 1 111000141 2-8 
FSETPM = Enter Protected ESCAPE 0 1 1 11100100 . 2-8 
Mode 

FSTSW AX = Store Control ESCAPE 1 1 1 113100000 10-16 : 
Word 


FLDCW = Load Control Word | ESCAPE 0 0 1 | MOD 1 0 1 AIM | DISP |; 7-14 
Store Control Word | ESCAPE 0 0 1 {| MOD 1 1 1 RIM DISP | ———s«‘42+18 


FSTCW = 
FSTSW = Store Status Word ESCAPE 1 0 1 MOD 1 1 1 R/M DISP 12-18 
FCLEX = Clear Exceptions ESCAPE 0 1 1 1110001 0 . 2-8 


FLDENV = Load Environment ESCAPE 0 0 1 MOD 1 0 0 R/M DISP | 35-45 


FSTENV = Store Environment ESCAPE 0 0 1 MOD 1 1 0 R/M DISP 40-50 


FSAVE = Save State ESCAPE 1 0 1 MOD 1 1 0 R/M DISP 205-215 


FRSTOR = Restore State ESCAPE 1 0 1 MOD 1 0 0 R/M DISP 205-215 


FINCSTP = Increment Stack 


Pointer ESCAPE 0 0 1 11 71 04 71 41 6-12 


FDECSTP = Decrement Stack ESCAPE 0 0 1 1171141 03411 «0 6-12 
Pointer 
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Table 6. 80287 Extensions to the 80286 Instruction Set (cont.) 


re en a i, ee a ee 


Clock Count Range 


FFREE = Free ST(i) ESCAPE 101]1 1 000 STi) 9-16 
FNOP = No Operation ESCAPE 001/]11010000 i. 10-16 


NOTES: 
1. if mod=00 then DISP=0"*, disp-low and disp-high are absent 
| if mod=01 then DISP=disp-low sign-extended to 16-bits, disp-high is absent 
if mod=10 then DISP=disp-high; disp-low 
if mod=11 then r/m is treated as an ST(i) field 
2. if r/m=000 then EA=(BX) + (SI) +DISP 
if r/m=001 then EA=(BX) + (Dl) +DISP 
if r/m=010 then EA=(BP) + (SI) +DISP 
if r/m=011 then EA=(BP) + (DI) +DISP 
if r/m=100 then EA=(SI) + DISP 
if r/m=101 then EA=(Dl) + DISP 
if r/m=110 then EA=(BP) + DISP 
if r/m=111 then EA=(BX) + DISP 


“except if mod=000 and r/m=110 then EA =disp-high; disp-low. 
3. MF= Memory Format 
00—32-bit Real 
01—32-bit Integer 
10—64-bit Real 
11—16-bit Integer 
4. ST(0)= Current stack top 
ST(i) i register below stack top 
5. d= Destination 
0—Destination is ST(0) 
1—Destination is ST(i) 
6. P= Pop 
O—No pop 
1—Pop ST(0) 
7. R= Reverse: When d=1 reverse the sense of R 
0—Destination (op) Source 
1—Source (op) Destination 


8. For FSQRT: -0 < ST(0) < + 
For FSCALE: ~2'5 < §1(1) < +2!° and ST(1) integer 
For F2XM1: 0<ST(0)<2 | 
For FYL2x: 0 < ST(0) <x 
— =e <ST(1)< +2 
For FYL2XP1: 0 <IST(O)I < (2 —-V2)/2 
-“x <$ST(1)<« 
For FPTAN: 0 < ST(0) <7/4 
For FPATAN: 0 < ST(0) < ST(1) < +e 


9. ESCAPE bit pattern is 11011. 
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GLOSSARY OF 80287 
AND FLOATING-POINT TERMINOLOGY 


This glossary defines many terms that have precise technical meanings as specified in the IEEE 754 
Standard. Where these terms are used, they have been capitalized to emphasize the precision of their 
meanings. In reading these definitions, you may therefore interpret any capitalized terms or phrases as 
cross-references. 


Affine Mode: a state of the 80287, selected in the 80287 Control Word, in which infinities are treated 
as having a sign. Thus, the values +INFINITY and —INFINITY are considered different; they can 
be compared with finite numbers and with each other. 


Base: (1) a term used in logarithms and exponentials. In both contexts, it is a number that is being 
raised to a power. The two equations (y = log base b of x) and (b” = x) are the same. 


Base: (2) a number that defines the representation being used for a string of digits. Base 2 is the binary 
representation; Base 10 is the decimal representation; Base 16 is the hexadecimal representation. In 
each case, the Base is the factor of increased significance for each succeeding digit (working up from 
the bottom). 


Bias: the difference between the unsigned Integer that appears in the Exponent field of a Floating- 
Point Number and the true Exponent that it represents. To obtain the true Exponent, you must subtract 
the Bias from the given Exponent. For example, the Short Real format has a Bias of 127 whenever the 
given Exponent is nonzero. If the 8-bit Exponent field contains 10000011, which is 131, the true 
Exponent is 131—127, or +4. 


Biased Exponent: the Exponent as it appears in a Floating-Point Number, interpreted as an unsigned, 
positive number. In the above example, 131 is the Biased Exponent. 


Binary Coded Decimal: a method of storing numbers that retains a base 10 representation. Each decimal 
digit occupies 4 full bits (one hexadecimal digit). The hex values A through F (1010 through 1111) 
are not used. The 80287 supports a Packed Decimal format that consists of 9 bytes of Binary Coded 
Decimal (18 decimal digits) and one sign byte. | 


Binary Point: an entity just like a decimal point, except that it exists in binary numbers. Each binary 
digit to the right of the Binary Point is multiplied by an increasing negative power of two. 


C3—CO0: the four ‘‘condition code” bits of the 80287 Status Word. These bits are set to certain values 
by the compare, test, examine, and remainder functions of the 80287. 


Characteristic: a term used for some non-Intel computers, meaning the Exponent field of a Floating- 
Point Number. 


Chop: to set the fractional part of a real number to zero, yielding the nearest untepet in the direction 
of zero. : 


Control Word: a 16-bit 80287 register that the user can set, to determine the modes of computation 
the 80287 will use, and the error interrupts that will be enabled. 


Denormal: a special form of Floating-Point Number, produced when an Underflow occurs. On the 


80287, a Denormal is defined as a number with a Biased Exponent that is zero. By providing a Signi- 
ficand with leading zeros, the range of possible negative Exponents can be extended by the number of 
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bits in the Significand. Each leading zero is a bit of lost HeCUIACY: so the extended Exponent range is 
obtained by reducing significance. , 


Double Extended: the Standard’s term for the 80287 Temporary Real format, with more Exponent 
and Significand ‘bits than the Double (Long Real) format, and an explicit nee! bit in the Significand. 


Double Floating Point Number: the Standard’s term for ifie 80287’s 64-bit Hong Real format. 


Environment: the 14 bytes of 80287 registers affected by the FSTENV and FLDENV instructions. It 
encompasses the entire state of the 80287, except for the 8 Temporary Real numbers of the 80287 
stack: Included are the Control Word, Status Word, Tag Word, and the instruction, opcode, and operand 
information provided by interrupts. 


Exception: any of the six error conditions (I, D, O, U, Z, P) signalled by the 80287. 


Exponent: (1) any power that is raised by an exponential function. For example, the operand to the 
function mqerEXP is an Exponent. The Integer operand to mgerYI2 is an Exponent. 


Exponent: (2) the field of a Floating-Point Number that indicates the magnitude of the number. This 
would fall under the above more general definition (1), except that a Bias sometimes needs to be 
subtracted to obtain the correct power. 


Floating-Point | Number: a sequence of data bytes that, when interpreted i ina standardized way, repre- 
sents a Real number. Floating-Point Numbers are more versatile than Integer representations in two 
ways. First, they include fractions. Second, their Exponent parts allow a much wider range of magni- 
tude than possible with fixed-length Integer representations. 


Gradual Underflow: a method of handling the Underflow error condition that minimizes the loss of 
accuracy in the result. If there is a Denormal number that represents the correct result, that Denormal 
is returned. Thus, digits are lost only to the extent of denormalization. Most computers return zero 
when Underflow occurs, losing all coun digits. , , 


Implicit inkenee Bit: a part of the Significand i in the Short Real and Long Real formats that is not 
explicitly given. In these formats, the entire given Significand is considered to be to the right of the 
Binary Point. A single Implicit Integer Bit to the left of the Binary Point is always 1, except in one 
case. When the eet is the minimum eae Exponent is 0), the Implicit Integer Bit j is 0. 


Indefinite: a sepeent value that is returned by functions when the inputs are such that no other sensible 
answer is possible. For each Floating-Point format there exists one Nontrapping NaN that is designated 
as the Indefinite value. For binary Integer formats, the negative number furthest from zero is often 
considered the Indefinite value. For the 80287 Packed Decimal format, the Indefinite value contains 
all 1’s in the sign byte and the uppermost digits byte. 


Infinity: a value that has greater magnitude than any Integer or any Real number. The existence of 
Infinity is subject to heated philosophical debate. However, it is often useful to consider Infinity as 
another number, subject to special rules of arithmetic. All three Intel Floating-Point formats provide 
representations for +INFINITY and ~ENEINITY. They support two ways of dealing with Infinity: 
Projective (unsigned) and Affine (signed). | . 


Integer: a number (positive, negative, or zero) that is finite and has no fractional part. Integer can also 
mean the computer representation for such a number: a sequence of data bytes, interpreted ina stand- 
ard way. It is perfectly reasonable for Integers to be represented in a Floating- Point fount this is 
what the 80287 does whenever an Integer is pushed onto the 80287 stack. 
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Invalid Operation: the error condition for the 80287 that covers all cases not covered by other errors. 
Included are 80287 stack overflow and underflow, NaN inputs, illegal infinite inputs, out-of-range 
inputs, and illegal unnormal inputs. 


Long Integer: an Integer format supported by the 80287 that consists of a 64-bit Two’s Complement 
quantity. ‘ 


Long Real: a Floating-Point Format supported. by the 80287 that consists of a sign, an 11-bit Biased 
Exponent, an Implicit Integer Bit, and a 52-bit Significand—a total of 64 explicit bits. 


Mantissa: a term used for some non-Intel computers, meaning the Significand of a Floating-Point 
Number. 


Masked: a term that applies to each of the six 80287 Exceptions I,D,Z,O,U,P. An exception is Masked 
if a corresponding bit in the 80287 Control Word is set to 1. If an exception is Masked, the 80287 will 
not generate an interrupt when the error condition occurs; it will instead provide its own error recovery. 


NaN: an abbreviation for Not a Number; a Floating-Point quantity that does not represent any numeric 
or infinite quantity. NaNs should be returned by functions that encounter serious errors. If created 
during a sequence of calculations, they are transmitted to the final answer and can contain information 
about where the error occurred. 


Nontrapping NaN: a NaN in which the most significant bit of the fractional part of the Significand is 
1. By convention, these NaNs can undergo certain operations without visible error. Nontrapping NaNs 
are implemented for the 80287 via the software in EH87.LIB. 


Normal: the representation of a number in a Floating-Point format in which the Significand has an 
Integer bit 1 (either explicit or Implicit). | 


Normalizing Mode: a state in which nonnormal inputs are automatically converted to normal inputs 
whenever they are used in arithmetic. Normalizing Mode is implemented for the 80287 via the software 
in EH87.LIB. 

NPX: Numeric Processor Extension. This is the 80287. 


Overflow: an error condition in which the correct answer is finite, but has magnitude too great to be 
represented in the destination format. 


Packed Decimal: an Integer format supported by the 80287. A Packed Decimal number is a 10-byte 
quantity, with nine bytes of 18 Binary Coded Decimal digits, and one byte for the sign. 


Pop: to remove from a stack the last item that was placed on the stack. 

Precision Control: an option, programmed through the 80287 Control Word, that allows all 80287 
arithmetic to be performed with reduced precision. Because no speed advantage results from this option, 
its only use is for strict compatibility with the IEEE Standard, and with other computer systems. 
Precision Exception: an 80287 error condition that results when a calculation does not return an exact 
answer. This exception is usually Masked and ignored; it is used only in extremely critical applications, 
when the user must know if the results are exact. 

Projective Mode: a state of the 80287, selected in the 80287 Control Word, in which infinities are 
treated as not having a sign. Thus the values +INFINITY and —INFINITY are considered the same. 
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Certain operations, such as comparison to finite numbers, are illegal in Projective Mode but legal:in 
Affine Mode. Thus Projective Mode gives you a greater degree of error conch over infinite inputs. 


Pseudo Zero: a special value of the Temporary Real format. It is a ates ili a zero <ienitioand 
and an Exponent that is neither all zeros or all ones. Pseudo zeros can come about as the result of 
multiplication of two Unnormal numbers; but they are very rare. 


Real: any finite value (negative, positive, or zero) that can be represented by a decimal expansion. The 
fractional part of the decimal expansion can contain an infinite. number of digits. Reals can be repre- 
sented as the points of a line marked off like a ruler. The term Real can also refer to a Floating- Point 
Number that represents a Real value. | 7 


Short Integer: an Integer format supported by the 80287 that consists of a 32-bit Two’s Complement 
quantity. Short Integer is not the shortest 80287 Integer format—the 16-bit Word Integer is. - 


Short Real: a Floating- Point Format supported by the 80287, which consists of a sign, an 8-bit Biased 
Exponent, an nen Integer Bit, and a 23-bit ep cae-8 total of 32 ae eae bits. 


Significand:. the part of a Floating- Point Number that consists of the most significant nonzero bits of 
the number, if the number were written out in an unlimited binary format. The Significand alone is 
considered to have a Binary Point after the first (possibly Implicit) bit; the Binary Point is then moved 
according to the value of the Exponent. 


Single Extended: a Floating-Point format, required by the Standard, that provides greater precision 
than Single; it also provides an explicit Integer Significand bit. The 80287’s Temporary Real format 
meets the Single Extended requirement as well as the Double Extended requirement. 


Single Floating-Point Number: the Standard’s term for the 80287’s 32-bit Short Real format. 


Standard: “a ee Standard for Binary Floating-Point Arithmetic,” Draft 10.0 of IEEE Task P754, 
December 2, 1982. , , 


Status Word: A 16-bit 80287 register that can be manually set, but which is usually controlled by side 
effects to 80287 instructions. It contains condition codes, the 80287 stack pointer,. busy and interrupt 
bits, and error flags. | 
Tag Word: a 16-bit 80287 register that is automatically maintained by the 80287. For each space in 
the 80287 stack, it tells if the space is occupied by a number; if so, it gives information about what 
kind of number. 


Temporary Real: the main Floating-Point Format used by the 80287. It consists of a sign, a 15-bit 
Biased Exponent, and a Significand with an explicit Integer bit and 63 fractional-part bits. 


Transcendental: one of a class of functions for which polynomial formulas are always approximate, 
never exact for more than isolated values. The 80287 supports trigonometric, exponcnae’ and logarith- 
mic ens all are Transcendental. , 


Trapping NaN: a NaN that causes an I error whenever it enters into a calculation | or EOmpaTsen, even 
a nonordered comparison. : 


Two’s Coniplenisae a method of representing paleeers: If the uppermost bit is 0, the number is coast: 
ered positive, with the value given by the rest of the bits. If the uppermost bit is 1, the number is 
negative, with the value obtained by subtracting (2°'°"") from all the given bits. For example, the 
8-bit number 11111100 is —4, obtained by subtracting 2° from 252. | 3 
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Unbiased Exponent: the true value that tells how far and in which direction to move the Binary Point 
of the Significand of a Floating-Point Number. For example, if a Short Real Exponent is 131, we 
subtract the Bias 127 to obtain the Unbiased Exponent +4. Thus, the Real number being represented 
is the Significand with the Binary Point shifted 4 bits to the right. 


Underflow: an error condition in which the correct answer is nonzero, but has a magnitude too small 
to be represented as a Normal number in the destination Floating-Point format. The Standard specifies 
that an attempt be made to represent the number as a Denormal. 


Unmasked: a term that applies to each of the six 80287 Exceptions: I,D,Z,O,U,P. An exception is 
Unmasked if a corresponding bit in the 80287 Control Word is set to 0. If an exception is Unmasked, 
the 80287 will generate an interrupt when the error condition occurs. You can provide an interrupt 
routine that customizes your error recovery. 


Unnormal: a Temporary Real representation in which the explicit Integer bit of the Significand is 
zero, and the exponent is nonzero. We consider Unnorma! numbers distinct from Denormal numbers. 


Word Integer: an Integer format supported by both the 80286 and the 80287 that consists of a 16-bit 
Two’s Complement quantity. 


Zero divide: an error condition in which the inputs are finite, but the correct answer, even with an 
unlimited exponent, has infinite magnitude. 
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ALABAMA 


Intel Corp. 

5015 Bradford Drive 
Suite 2 

Huntsville 35805 
Tel: (205) 830-4010 


ARIZONA 


Intel Corp. ; 
11225 N. 28th Drive 
Suite 214D 

Phoenix 85029 

Tel: (602) 869-4980 


Intel Corp. 

1161 N. El Dorado Place 
Suite 301 

Tucson 85715 

Tel: (602) 299-6815 


CALIFORNIA 


Intet Corp. 

21515 Vanowen Street 
Suite 116 

Canoga Park 91303 
Tel: (818) 704-8500 


Intel Corp. 

2250 E. Imperial Highway 
Suite 218 

El Segundo 90245 

Tel: (213) 640-6040 


Intel Corp. 

1510 Arden Way, Suite 101 
Sacramento 95815 

Tel: (916) 920-8096 


Intel Corp. 

4350 Executive Drive 
Suite 105 

San Diego 92121 
(619) 452-5880 


Intel Corp.* 

2000 East 4th Street 
Suite 100 

Santa Ana 92705 
Tel: (714) 835-9642 
TWX: 910-595-1114 


Intel Corp.° 

1350 Shorebird Way 
Mt. View 94043 
Tel: (415) 968-8086 
TWX: 910-339-9279 
910-338-0255 


COLORADO 


Intel Corp. 

3300 Mitchell Lane, Suite 210 
Boulder 80301 

Tel: (303) 442-8088 


Intel Corp. 

4445 Northpark Drive 
Suite 100 

Colorado Springs 80907 
Tel: (303) 594-6622 
Intel Corp.® 

650 S. Cherry Street 
Suite 915 © 


Denver 80222 
Tet: (303) 321-8086 
TWX: 910-931-2289 


CONNECTICUT 


Intel rere. 

26 Mill Plain Road 
Danbury 06810 

Tel: (203) 748-3130 
TWX: 710-456-1199 


EMC Corp. 

222 Summer Street 
Stamford 06901 
Tel: (203) 327-2934 


FLORIDA 


Intel Corp. 

242 N. Westmonte Drive 
Suite 105 

Altamonte Springs 32714 
Tel: (305) 869-5588 


tntel Corp. 

6363 N.W. 6th Way, Suite 100 
Ft. Lauderdale 33309. 

Tel: (305) 771-0600 

TWX: 510-956-9407 
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FLORIDA (Cont'd) 


intel Corp. 

11300 4th Street North 
Suite 170 

St. Petersburg 33702 
Tel: (813) 577-2413 


GEORGIA 

Intel. Corp. 

3280 Pointe Parkway 
Suite 200 

Norcross 30092 

Tel: (404) 449-0541 


ILLINOIS 
Intel Corp.* 


300 N. Martingale Road, Suite 400 


Schaumburg 60172 
Tel: (312) 310-8031 


INDIANA 


Intel Corp. 
8777 Purdue Road 
Suite 125 
Indianapolis 46268 
Tel: (317) 875-0623 


IOWA 


Intel Corp. 

St. Andrews Buildin 

1930 St. Andrews Drive N.E. 
Cedar Rapids 52402 

Tel: (319) 393-5510 


KANSAS 


Intel Corp. 

8400 W. 110th Street 
Suite 170 

Overland Park 66210 
Tel: (913) 345-2727 


LOUISIANA | 


Industrial. Digital Systems Corp. 
Tel: (504) 899-1654 


MARYLAND 


Intel Corp.* 

7321 Parkway Drive South 
Suite C 

Hanover 21076 

Tel: (301) 796-7500 

TWX: 710-862-1944 


Intel Corp. 

7833 Walker Drive 
Greenbelt 20770 
Tel: (301) 441-1020 


MASSACHUSETTS 


Intel Corp.* 

Westford Corp. Center 
3 Carlisle Road 
Westford 01886 

Tel: (617) 629-3222 
TWX: 710-343-6333 


MICHIGAN 


Intel Corp 

7071 Orchard Lake Road 
Suite 100 

West Bloomfield 48033 
Tel: (313) 851-8096 


MINNESOTA 


Intel Corp. : 
3500 W. 80th Street 
Suite 360 

Bloomington 55431 
Tel: (612) 835-6722 
TWX: 910-576-2867 


MISSOURI 


Intel Corp, 

4203 Earth City Expressway 
Suite 131 

Earth City 63045 

Tel: (314) 291-1990 


NEW JERSEY 


Intel Corp.* 

Raritan Plaza ll 
Raritan Center 
Edison 08837 

Tel: (201) 225-3000 
TWX: 710-480-6238 


NEW MEXICO 


Intel Corp. 

8500 Menual Boulevard N.E. 
Suite B 295 

Albuquerque 87112 

Tel: (505) 292-8086 


NEW YORK 


Intel Corp.® 

300 Vanderbilt Motor Parkway 
Hauppauge 11788 

Tel: (516) 231-3300 

TWX: 510-227-6236 


Intel Corp. 
Suite 2B Hollowbrook Park 
15 Myers Corners Road 
Wappinger Falls 12590 
Tel: (914) 297-6161 

TWX: 510-248-0060 


Intel Corp.* 

211 White Spruce Boulevard 
Rochester 14623 

Tel: (716) 424-1050 

TWX: 510-253-7391 


T-Squared 

6443 Ridings Road 
Syracuse 13206 
Tel: (315) 463-8592 
TWX: 710-541-0554 


T-Squared 

7353 Pittsford-Victor Road 
Victor 14564 

Tel: (716) 924-9101 

TWX: 510-254-8542 


- NORTH CAROLINA 


Intel Corp. 

5700 Executive Center Drive 
Suite 213 

Charlotte 28212 

Tel: (704) 568-8966 


Inte! Corp. 

2700 Wycliff Road 
Suite 102 

Raleigh 27607 

Tel: (919) 781-8022 


OHIO 


Intel. Corp.* 

6500 Poe Avenue 
Dayton 45414 

Tel: (513) 890-5350 
TWX: 810-450-2528 


Intel Corp.* 

Chagrin-Brainard Bldg., No. 300 
28001 Chagrin Boulevard 
Cleveland 44122 

Tel: (216) 464-2736 

TWX: 810-427-9298 


OKLAHOMA 


Intel Corp. 

4157 S, Harvard Avenue 
Suite 123 

Tulsa 74135 

Tel: (918) 749-8688 


OREGON 


Intel Corp, 

10700 S.W. Beaverton 
Hillsdale Highway 
Suite 22 

Beaverton 97005 

Tel: (503) 641-8086 
TWX: 910-467-8741 


PENNSYLVANIA 
Intel Corp. 


’ 1513 Cedar Cliff Drive 
Camphill 17011 


Tel: (717) 737-5035 


Intel Corp.* 

455 Pennsylvania Avenue 
Fort Washington 19034 
Tel: (215) 641-1000 
TWX: 510-661-2077 


Intel Corp.* 

400 Penn Center Boulevard 
Suite 610 

Pittsburgh 15235 

Tel: (412) 823-4970 


Q.E.D. Electronics 
139 Terwood Road 
Box T 

Willow Grove 19090 
Tel: (215) 657-5600 


PUERTO RICO 


Intel. Microprocessor Corp. 
South Industrial Park 

Las Piedras 00671 

Tel: (809) 733-3030 


TEXAS 


Intel Corp. 

313 £. Anderson Lane 
Suite 314 

Austin 78752 

Tel: (512) 454-3628 


Intel Corp.* 

12300 Ford Road 

Suite 380 

Dallas 75234 

Tel: (214) 241-8087 
TWX: 910-860-5617 


Intel Corp.* 

7322 S.W. Freeway 
Suite 1490 

Houston 77074 

Tel: (713) 988-8086 
TWX: 910-881-2490 


Industrial Digital Systems Corp. 
5925 Sovereign 

Suite 101 

Houston 77036 

Tel: (713)988-9421 


UTAH 


Intel Corp. 

5201 Green Street 
Suite 290 

Murray 84123 

Tel: (801) 263-8051 


VIRGINIA 


Intel Corp. 

1603 Santa Rosa Road 
Suite 109 

Richmond 23288 

Tel: (804) 282-5668 


WASHINGTON 


Intel Corp. 

110 110th Avenue N.E. 
Suite 510 

Bellevue 98004 

Tel: (206) 453-8086 
TWX: 910-443-3002 


Intel Corp. 

408 N. Mullan Road 
Suite 102 

Spokane 99206 

Tel: (509) 928-8086 


WISCONSIN 


Intel. Corp. 

450 N. Sunnyslope Road 
Suite 130 

Chancellory Park | 
Brookfield 53005 

Tel: (414) 784-8087 


CANADA 


BRITISH COLUMBIA 


Intel Semiconductor of Canada, 
301-2245 W. Broadway 
Vancouver V6K 2E4 

Tel: (604) 738-6522 


ONTARIO 


Intel Semiconductor of Canada, 
2650 Queensview Drive 

Suite 250 

Ottawa K2B 8H6 

Tel: (613) 829-9714 

TELEX: 053-4115 


Intel Semiconductor of Canada, 
190 Attwell Drive 

Suite 500 

Rexdale MSW 6H8 

Tel: (416) 675-2105 

TELEX: 06983574 


QUEBEC 


Intel Semiconductor of Canada, 
620 St. Jean Blvd. 

Pointe Claire H9R 3K3 

Tel: (514) 694-9130 

TWX: 514-694-9134 


*Field Application Location 


Ltd. 


Ltd. 


Ltd. 


Ltd. 


BELGIUM 


Intel Corporation SA 

Parc Seny 

Rue du Moulin a Papier 51 
Boite 1 

B-1160 Brussels 

Tel (02)661 07.11 

TELEX 24814 


DENMARK 


Intel Denmark A/S* 
Glentevey 61 - 3rd Floor 
OK-2400 Copenhagen 
Tel (01) 19 80 33 
TELEX 19567 


FINLAND 


Intel Finland OY 
Rousilantie 2 

SF-00390 Helsingtors 39 
Tel (90) 544 644 
TELEX 123 332 


FRANCE 


Intel. Paris 

1, rue Edison, BP 303 

78054 Saint-Quentin en Yvelines 
Tet. (3) 064 60 00 

TELEX 699016 


EUROPEAN SALES OFFICES 


FRANCE (Cont'd) 


Intel Corporation, SARL 
Immeuble BBC 

4 Quai des Etrorts 
69005 Lyon 

Tel (7) 842 40 89 
TELEX 305153 


WEST GERMANY 


Intel Semiconductor GmbH* 
Seidistrasse 27 

D-8000 Munchen 2 

Tel (89) 53891 

TELEX 05-23177 INTL D 


Intel Semiconductor GmbH* 
Mainzerstrasse 75 

0-6200 Wiesbaden 1 

Tel (6121) 70 08 74 
TELEX 04168183 INTW D 


Intel Semiconductor GmbH 
Bruckstrasse 61 

7012 Fellbach 

Stuttgart 

Tel. (711) 58 00 82 
TELEX 7254826 INTS D 


Intel Semiconductor GmbH’* 
Hohenzollernstrasse 5° 
3000 Hannover 1 

Tel (511) 34 40 81 
TELEX. 923625 INTH D 


ISRAEL 


Intel Semiconductors Ltd ° 
Atidim Industrial Park 
Neve Sharet 

Dvora Hanevia 

Bldg No 13, 4th Floor 
PO Box 43202 

Tel Aviv 61430 

Tel 3-491099 

Telex 371215 


ITALY 


Intel Corporation italia Spa° 
Milanofior, Palazzo £ 
20094 Assago (Milano) 
Tel (02) 824 00 06 
TELEX 315183 INTMIL 


NETHERLANDS 


Intel Semiconductor Nederland. B.V ° 
Alexanderpoort Building 

Marten Meesweg 93 

3068 Rotterdam 

Tel (10) 21 23 77 

TELEX 22283 


NORWAY 


intel Norway A/S 
PO. Box 92 
Hvamveien 4 
N-2013 

Skjetten 

Tel (2) 742 420 
TELEX 18018 


SPAIN 


Intel Iberia 

Calle Zurbaran 28 
Madrid 04 

Tel: (34) 1410 40 04 
TELEX: 46880 


SWEDEN 


Inte! Sweden A.B° 
Dalvagen 24 

$-171 36 Solna 

Tel: (08) 734 01 00 
TELEX: 12261 


SWITZERLAND 


Intel Semiconductor A.G° 
Talackerstrasse 17 

8152 Glattbrugg postfach 
CH-8065 Zurich. 

Tel: (01. 829 29 77 
TELEX: 57989 ICH CH 


UNITED KINGDOM 


Intel Corporation (U.K.) Ltd.* 
Pipers Way 

Swindon, Wiltshire -SN3 ie 
Tel: (0793) 488 388 
TELEX. 444447 INT SWN 
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EUROPEAN DISTRIBUTORS/REPRESENTATIVES 


AUSTRIA 


Bacher Elektronische Geraete GmbH 
Rotenmuehigasse 26 

A 1120 Wien 

Tel: (222) 83 56 46 

TELEX: 11532 BASAT A 


W. Moor GmbH 

Storchengasse 1/1/1 

A-1150 Wien , 
Tel: 222-85 86 46 


BELGIUM 


Inelco Belgium S.A. 

Ave. des Croix de Guerre 94 
B1120 Brussels 

Tel. (O21) 216 01 60 

TELEX: 25441 


DENMARK 


iTT MultikKomponent AIS” 
Naverland 29 

DK-2600 Gloskrup 

Tel: (02) 45 66 45 
TX: 33355 


FINLAND 


Oy Fintronic AB © 
Melkonkalu 24 A 

SF-00210 Helsinki 21 

Tel: (0) 692 60 22 : 
TELEX: 124 224 Ftron SF 


FRANCE 


Generim 

Z.|. de Courtaboeut 

Avenue de la Baltique 
F-91943 Les Ulis Cedex-B.P.88 
Tel: (1) 907 78 78 : 
TELEX: F691700 


Jermyn S.A. 

16, Avenue de Jean-Jaures 
F-94600 Choisy-Le-Roi 

Tel: (1) 853 12 00 
TELEX: 260 967 


Metrologie 

La Tour d' Asnieres 

4, Avenue Laurent Cely 
F-92606-Asnieres 

Tel: (1) 790 62 40 
TELEX: 611-448 


Tekelec Airtronic 

Cte des Bruyeres 

Rue Carle Vernet B.P. 2 
F-92310 Sevres 

Tel: (1) 534 75 35 
TELEX: 204552 


WEST GERMANY 


Electronic 2000 Vertrebs AG 
Stahigruberring 12 

D-8000 Munich 82 

Tel. (89) 42 00 10 

TELEX 522561 EEC D 


Jermyn GmbH 

Postfach 11 80 
Schulstrasse 84 

D-6277 Bad Camberg, 
Tel: (06434) 231 
TELEX: 484426 JERM D 


CES Computer Electronics Systems 
GmbH 

Gutenbergstrasse 4 

D-2359 Henstedt-Ulzburg 

Tel: (04193) 4026 

TELEX: 2180260 


Metrologie GmbH 
Hansastrasse 15 
D-8000 Munich 21 
Tel: (89) 57 30 84 
TELEX: 5213189 


Proelectron Vertriebs GmbH 
Max Planck Strasse 1-3 
D-6072 Dreieich 

Tel: (6103) 33564 

TELEX: 417983 


IRELAND 


Micro Marketing 
Glenageary Office Park 
Glenageary 

Co. Dublin 

Tel: (1) 85 62 88 
TELEX: 31584 


ISRAEL 


Eastronics Ltd. 

11. Rozanis Street 
P.O. Box 39300 
Tel Aviv 61390 
Tel: (3) 47 51 51 
TELEX: 33638 . 


ITALY 


Electra 3S S.P.A. 
Viale Elvezia, 18 

| 20154 Milano 
Tel: (2) 34 97 51 
TELEX: 332332 ‘ 


Intesi 

Milanofiori Pal. E/5 
1-20090 Assago 
Milano 

Tel: (2) 82470 
TELEX: 311351 


‘NETHERLANDS 


Koning & Hartman 
Koperwert 30 

PQ Box 43220 

2544 EN's Gravenhage 
Tel: 31 (70) 210.101 
TELEX: 31528 


NORWAY 


Nordisk Elektronic (Norge) A/S 
Postoffice Box 122 
Smedsvingen 4 

1364 Hvalstad 

Tel. (2) 846 210 

TELEX: 17546 


PORTUGAL 


Ditram 

Componentes € Electronica LDA 
Av. Miguel Bombarda, 133 
P-1000 Lisboa : 

Tel. (19) 545 313. 

TELEX: 14182 Brieks-P 


SPAIN 


Interface S.A. 

Av. Pompeu Fabra 12 
08024 Barcelona 

Tel: (3) 219. 80 11 
TELEX: 51508 


ITT SESA 

Miguel Angel 21, 6 Piso 
Madrid 10 

Tel: (34) 14 1954 00 
TELEX: 27461 


Diode Espana 


4 


Tel: 455 36 86 
TELEX: 42148 


SWEDEN 


AB Gosta Backstrom 
Box 12009 
Alstroemergatan 22 
$-10221 Stockholm 
Tel: (08) 541 080 
TELEX: 10135 


Nordisk Electronik AB 
Box 1409 
Huvudstagatan 1 

171 27 Solna 

Tal: (08) 734 97° 70 
TELEX: 10547 


SWITZERLAND 


Industrade AG 
Hertistrasse 31 

CH-8304 Wallisellen 

Tel: (01) 830 50 40 
TELEX: 56788 INDEL CH 


UNITED KINGDOM 


Bytech Ltd. 

Unit 57 

London Road 
Early, Reading 
Berkshire 

Tel: (0734) 61031 
TELEX: 848215 


Comway Microsystems Lid. 
Market Street 
UK-Bracknell, Berkshire . 
Tel: 44 (344) 55333 
TELEX: 847201 


Jermyn industries 
Vestry Estate 
Sevenoaks, Kent 
Tel: (0732), 450144 
TELEX: 95142 


M.E.D.L. 

East Lane Road 
North Wemble 
Middlesex HAQ 7PP 
Tel: (190) 49307 
TELEX: 28817 


Rapid Recall, Ltd. 

Rapid House/Denmark St 
High Wycombe 

Berks, England HP11 2ER 
Tel: (494) 26 271 

TELEX: 837931 


YUGOSLAVIA 


H.R. crs Enterprises 
P.O. Box § 

San Jose, Safornia 95150 

Tel: 408/978-8000 

TELEX: 278-559 


UNITED STATES 


Intel Corporation 
3065 Bowers Avenue 
Santa Clara, CA 95051 


JAPAN 
Intel Japan K.K. 


5-6 Tokodai Toyosato-machi 
Tsukuba-gun, Ibaraki-ken 300-26. 


Japan . 


FRANCE 

Intel Do ot 

5 Place de la Balance 
Silic 223 

94528 Rungis Cedex 
France 


UNITED KINGDOM 
Intel 

Piper’s Way 

Swindon 


Wiltshire, England SN3 1RJ 


WEST GERMANY 
Intel 

Seidstrasse 27 
D-8000 Munchen 2 
West Germany 
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